BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform.

BD Pyxis – CVE-2022-22767

According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types.

If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity).

The following products are affected by the vulnerability

  • BD Pyxis ES Anesthesia Station
  • BD Pyxis CIISafe
  • BD Pyxis Logistics
  • BD Pyxis MedBank
  • BD Pyxis MedStation 4000
  • BD Pyxis MedStation ES
  • BD Pyxis MedStation ES Server
  • BD Pyxis ParAssist
  • BD Pyxis Rapid Rx
  • BD Pyxis StockStation
  • BD Pyxis SupplyCenter
  • BD Pyxis SupplyRoller
  • BD Pyxis SupplyStation
  • BD Pyxis SupplyStation EC
  • BD Pyxis SupplyStation RF auxiliary
  • BD Rowa Pouch Packaging Systems

BD said it is working with customers whose domain-joined server(s) credentials require updating and it is strengthening the credential management capabilities of BD Pyxis products.

BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:

  • Restrict physical access to Pyxis products to only authorized personnel
  • Tightly control management of system passwords
  • Monitor and log network traffic attempting to reach the affected products for suspicious activity
  • Isolate affected products in a secure VLAN or behind firewalls and only permit communication with trusted hosts in other networks, when needed

BD Synapsys – CVE-2022-30277

Certain BD Synapsis products are affected by an insufficient session expiration vulnerability, which could potentially allow an unauthorized individual to access, modify, or delete sensitive information such as ePHI, which could potentially result in delayed or incorrect treatment. BD says a physical breach of a vulnerable workstation would be unlikely to lead to the modification of ePHI as the sequence of events has to be conducted in a specific order. The vulnerability is tracked as CVE-2022-30277 and has been assigned a CVSS v3 base score of 5.7 out of 10 (medium severity).

The vulnerability affects D Synapsys versions 4.20, 4.20 SR1, and 4.30. The flaw will be addressed in BD Synapsys v4.20 SR2, which will be released this month.

BD has suggested the following compensating controls:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
  • Ensure industry standard network security policies and procedures are followed.

BD has alerted CISA, the FDA, and ISACs about the vulnerabilities under its responsible vulnerability disclosure policy.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.