The U.S. Cybersecurity & Infrastructure Security Agency (CISA) today released advisories on two products from BD (NYSE:BDX).
Vulnerabilities with the BD Pyxis automated medication dispensing system and the BD Synapsys microbiology informatics software were voluntarily reported by Franklin Lakes, New Jersey-based BD through the CISA coordinated vulnerability disclosure program.
The BD Pyxis’ vulnerability is labeled as “Not Using Password Aging,” meaning successful exploitation of the vulnerability could allow an attacker to gain access to electronic protected health information (ePHI) or other sensitive information, according to the CISA notice. CISA determined that the vulnerability is exploitable remotely and has low attack complexity.
Specific BD Pyxis products were installed with default credentials and still may operate with such credentials, creating potential scenarios in which those products were installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types, meaning exploitation could give attackers privileged access to the underlying file system and exploit or gain access to ePHI or other sensitive information.
BD is currently strengthening credential management capabilities in the Pyxis products and service personnel are working with users whose domain-joined server(s) credentials require updates. The company is also piloting a credential management solution to allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade, or to applications are being evaluated as remediations.
The company also recommends that users of Pyxis products utilizing default credentials limit physical access to only authorized personnel, control management of system passwords provided to authorized users, monitor and log network traffic for suspicious activity and isolate affected products in a secure virtual local area network (VLAN) or behind firewalls with restricted access.
According to a separate CISA notice, the BD Synapsys platform (versions 4.20, 4.20 SR1 and 4.30) has a low attack complexity due to a vulnerability with “Insufficient Session Expiration.”
Successful exploitation of the Synapsys system could allow an attacker to access, modify or delete sensitive information, including ePHI, protected health information (PHI) and personally identifiable information (PII). An unauthorized breach of a Synapsys workstation would be negligible due to the sequence of events that must occur in a specific order, but successful exploitation could lead to a modification of ePHI, PHI or PII, which could result in delayed or incorrect treatment.
BD Synapsys v4.20 SR2 will be released in June 2022 and will remediate the vulnerability, the CISA notice said, while users receiving Synapsys v4.30 will be allowed to upgrade to v5.10, which the company expects to make available by August 2022.
The company recommends that users working with impacted Synapsys products configure the inactivity session timeout to match the session expiration timeout, ensure physical access controls are in place and only authorized end-users have access to workstations, place a reminder at each computer for users to save all work, log out or lock their workstation when leaving and ensure industry standard network security policies and procedures are followed.