Share this article on:
Becton, Dickinson and Company (BD) has self-reported two vulnerabilities that affect its BD Pyxis automated medication dispensing systems, BD Rowa pouch packaging systems, and BD Viper LT automated molecular testing systems.
Both vulnerabilities are due to the use of hard-coded credentials. If exploited, the vulnerabilities could allow an unauthorized individual to access, modify, and delete sensitive data, which could include electronic protected health information (ePHI).
The most serious vulnerability, tracked as CVE-2022-22765, affects all versions of the BD Viper LT system from 2.0. The vulnerability has been assigned a CVSS severity score of 8.0 out of 10.
BD is currently working on a fix for the vulnerability, which will be included in the upcoming BD Viper LT system Version 4.80 software release. In the meantime, BD has suggested implementing compensating controls, such as ensuring physical access controls are in place, only permitting authorized individuals to access the system, disconnecting the system from the network access where possible, and if it is not possible to disconnect the system from network access, to implement industry-standard network security policies and procedures.
The second vulnerability, tracked as CVE-2022-22766, affects the BD Pyxis range of products and BD Rowa Pouch Packaging Systems. The vulnerability has been assigned a CVSS severity score of 7.0 out of 10. If exploited, an attacker could gain access to the file system and exploit application files that could be used to decrypt application credentials or gain access to ePHI.
Credentials are BD managed and are not visible to or used by customers to access or use BD Pyxis devices. That means that in order to exploit the vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate a facility’s network, and gain access to individual devices.
BD said it is in the process of strengthening credential management capabilities in BD Pyxis devices. In the meantime, compensating controls can be implemented for the affected products. These include limiting physical access to authorized personnel, tightly controlling the management of BD Pyxis system credentials provided to authorized users, isolating products in a secure VLAN or behind firewalls, and monitoring and logging network traffic. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts. Users should work with their BD support team to ensure all patching and virus definitions are up to date.
“BD is committed to transparency with our customers and makes product security information, including vulnerability disclosures, available through the BD Cybersecurity Trust Center,” said BD in a statement. “As part of this commitment, BD posted product security bulletins about the use of hardcoded credentials… Hardcoded credentials are not used directly by customers or end-users to access these systems.”
There have been no reports of the vulnerabilities being exploited in clinical settings. BD self-reported the vulnerabilities to the FDA, ISAOs, and CISA for maximum awareness.