BD has published security alerts regarding two vulnerabilities that impact certain BD Pyxis automatic medication dispensing system products and the BD Synapsys microbiology informatics software program.
BD Pyxis – CVE-2022-22767
As per BD, a number of BD Pyxis products were installed using default credentials and could still run using those credentials. In certain situations, the affected products could have been put in having the same default local operating system credentials or domain-joined server(s) credentials that might be shared among product types.
Should a threat actor exploit the vulnerability, it is possible to acquire privileged access to the root file system, which would permit access to ePHI or other sensitive records. The vulnerability is being tracked as CVE-2022-22767 and was given a high severity CVSS v3 base score of 8.8 out of 10.
The vulnerability impacted the following products:
- BD Rowa Pouch Packaging Systems
- BD Pyxis ES Anesthesia Station
- BD Pyxis Logistics
- BD Pyxis CIISafe
- BD Pyxis MedBank
- BD Pyxis MedStation ES
- BD Pyxis MedStation 4000
- BD Pyxis MedStation ES Server
- BD Pyxis ParAssist
- BD Pyxis Rapid Rx
- BD Pyxis SupplyCenter
- BD Pyxis StockStation
- BD Pyxis SupplyRoller
- BD Pyxis SupplyStation EC
- BD Pyxis SupplyStation
- BD Pyxis SupplyStation RF auxiliary
BD stated it is working with clients who need their domain-joined server(s) credentials to be updated and it is strengthening the credential management features of BD Pyxis products.
BD suggests these compensating controls for Pyxis products users employing standard credentials:
- Only authorized personnel can have physical access to Pyxis products
- Securely handle the management of system passwords
- Keep track of and log network traffic trying to reach the affected products for suspicious activity
- Separate impacted products in a safe VLAN or behind firewalls and just allow communication with trustworthy hosts in other systems when required
BD Synapsys – CVE-2022-30277
A number of BD Synapsis products are affected by an inadequate session expiration vulnerability, which can possibly enable an unauthorized individual to access, change, or erase sensitive information like ePHI, which may possibly lead to late or inappropriate treatment. BD states a physical breach of a vulnerable workstation might be impossible to result in the change of ePHI as the series of events needs to be performed in a particular order. The vulnerability is tracked as CVE-2022-30277 and is given a medium severity CVSS v3 base score of 5.7 out of 10.
The vulnerability impacts D Synapsys versions 4.20, 4.20 SR1, and 4.30. The vulnerability will be resolved in BD Synapsys v4.20 SR2, which will be launched this month.
BD has recommended the following compensating controls:
- Set up the inactivity session timeout within the OS to complement the session expiration timeout in BD Synapsys.
- Be sure physical access settings are in position and merely authorized users to get access to BD Synapsys workstations.
- Put a reminder on all computers for end-users to store all work, log out, or lock their workstation whenever departing the BD Synapsys workstation.
Make sure market standard network security policies and methods are put into practice.
BD has informed CISA, the FDA, and ISACs concerning the vulnerabilities under its dependable vulnerability disclosure policy.