BD has released security notifications regarding two vulnerabilities that have an effect on particular BD Pyxis electronic medication dispensing system merchandise and the BD Synapsys microbiology informatics software system.
BD Pyxis – CVE-2022-22767
Based on BD, selected BD Pyxis products had been installed using default credentials and may still work utilizing those credentials. In a number of cases, the impacted products could have been established having similar default local OS credentials or domain-joined server(s) credentials that might be shared with many product types.
In case a threat actor would take advantage of the vulnerability, it will be possible to obtain privileged access to the main file system, which would permit access to ePHI or even other sensitive data. The vulnerability is monitored as CVE-2022-22767 and was assigned a high severity CVSS v3 base score of 8.8 of 10.
The vulnerability affected these products:
- BD Rowa Pouch Packaging Systems
- BD Pyxis ES Anesthesia Station
- BD Pyxis CIISafe
- BD Pyxis Logistics
- BD Pyxis MedBank
- Bd Pyxis Medstation 4000
- BD Pyxis Medstation ES
- BD Pyxis MedStation ES Server
- BD Pyxis ParAssist
- BD Pyxis Rapid Rx
- BD Pyxis StockStation
- BD Pyxis SupplyCenter
- BD Pyxis SupplyRoller
- BD Pyxis SupplyStation EC
- BD Pyxis Supplystation Rf Auxiliary
- BD Pyxis Supplystation
BD mentioned it is working with users who require their domain-joined server(s) credentials to be kept up to date and it is fortifying the credential management functions of BD Pyxis products.
BD advises the following compensating controls for Pyxis products users making use of standard credentials:
- Just authorized personnel could have physical access to Pyxis products
- Properly regulate the use of system passwords
- Keep an eye on and record network traffic seeking to get to the impacted products for suspicious activity
- Segregate affected products in a protected VLAN or behind firewalls and merely grant communication with reliable hosts in other sites, when necessary
BD Synapsys – CVE-2022-30277
Selected BD Synapsis products are impacted by not enough session expiration vulnerability that can probably enable an unauthorized person to access, alter, or remove sensitive data for instance ePHI, which may likely bring about overdue or improper treatment. BD claims a physical breach of an insecure workstation could be not possible to bring about the customization of ePHI as the string of incidents must be done in a precise order. The vulnerability is monitored as CVE-2022-30277 and is designated a medium severity CVSS v3 base rating of 5.7 of 10.
The vulnerability has an effect on D Synapsys versions 4.20, 4.20 SR1, and 4.30. The vulnerability will be dealt with in BD Synapsys v4.20 SR2, which is going to be revealed this month.
BD has advised these compensating controls:
- Install the inactivity session timeout inside the operating system to go with the session expiry timeout in BD Synapsys.
- Make sure physical access settings are set up and just authorized clients get access to BD Synapsys workstations.
- Place a reminder on every computer for people to keep all work, log out, or lock their workstation if leaving behind the BD Synapsys workstation.
- Make certain business-standard network security guidelines and processes are used.
- BD has notified CISA, ISACs, and the FDA concerning the vulnerabilities under its reliable vulnerability disclosure policy.