Pyxis™ supply system security information and upgrade considerations

March 28, 2016

This bulletin provides clinical and technical security information, recommendations and upgrade options for legacy Pyxis™ supply customers with installed end-of-life (EOL) product versions.

Affected products

The affected Pyxis SupplyStation™ system software versions are:

  • Version 8.0 Server 2003/XP
  • Version 8.1.3 Server 2003/XP
  • Version 9.0 Server 2003/XP
  • Version 9.1 Server 2003/XP
  • Version 9.2 Server 2003/XP
  • Version 9.3 Server 2003/XP

This page contains:

  • Special considerations and recommendations for legacy Pyxis supply customers
  • Available upgrade path for legacy Pyxis supply customers
  • Compensating security mitigations and recommendations for legacy Pyxis supply customers
  • Points of contact for further information

Special considerations and recommendations for legacy Pyxis supply customers

Customers currently installed with legacy Pyxis supply systems should consider the following factors related to the sustainability and supportability of these EOL products:

EOL operating system and third-party software considerations

The decision by Microsoft® to announce EOL and end of extended support for the Microsoft Windows® XP and XP Embedded operating systems brings with it a host of sustainability, support and security issues that negatively impact customers. Microsoft has recommended that existing XP customers immediately migrate to newer, supported operating systems to minimize sustainment and security risks.

BD has developed upgrade options, described in this bulletin, for legacy Pyxis supply customers to best support their critical modernization objectives.

Security vulnerabilities associated with unsupported operating systems and third-party software

In addition to the numerous known vulnerabilities associated with Windows XP and XP Embedded, BD and independent security researchers have identified numerous vulnerabilities in EOL versions of the Pyxis SupplyStation system that are associated with EOL operating systems and software.

Version 8.1.3 of the Pyxis SupplyStation system, last updated around April 2010, was tested and determined to contain 1,418 vulnerabilities that are present in the seven different third-party vendor applications:

  • BMC AppSight 5.7
  • SAP Crystal Reports 8.5
  • Flexera® Software InstallShield®
  • Microsoft Windows XP
  • Sybase SQL Anywhere® 9
  • Symantec AntiVirus 9
  • Symantec pcAnywhere™ 10.5

BD has collaborated with the U.S. Department of Homeland Security (DHS) to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores for these vulnerabilities, which will be further highlighted in a forthcoming DHS advisory, located at https://ics-cert.us-cert.gov/advisories. These vulnerability scores can be used in assessing risk within your own organization.

  • 715 vulnerabilities were identified as having a CVSS base score of 7.0–10.0.
  • 606 vulnerabilities were identified as having a CVSS base score of 4.0–6.9.
  • 97 vulnerabilities were identified as having a CVSS base score of 0–3.9.

These vulnerabilities have also been assessed for clinical impact by BD and DHS and represent little to no risk to patient safety.

BD has also verified that the identified vulnerabilities are not present in currently available Pyxis supply versions.

Available options for legacy Pyxis supply customers

Product upgrade

BD has developed an upgrade path available to eligible legacy Pyxis supply customers, based on the current legacy product version. Legacy supply customers are urged to migrate to the latest Pyxis SupplyStation platform.

Contact your Pyxis sales representative to obtain more information and discuss available upgrade options.

Alternative solutions

Though BD strongly advises customers to upgrade their Pyxis SupplyStation systems to currently supported versions, it is understood that some may not choose to do so.

BD has worked with DHS to identify specific compensating controls to reduce risk for customers that cannot upgrade or elect to remain on the legacy Pyxis SupplyStation platform, which includes acknowledgment and acceptance of any residual risk associated with a product version that is no longer supported.

BD recommends that customers using older versions of the Pyxis SupplyStation system that operate on these legacy operating systems should apply the following compensating measures. ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Isolate affected products from the internet and untrusted systems; however, if additional connectivity is required, use a virtual private network (VPN) solution.
  • When remote access is required, use secure methods, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
  • Monitor and log all network traffic attempting to reach the affected products for suspicious activity.
  • Close all unused ports on affected products.
  • Locate medical devices and remote devices behind firewalls, and isolate them from the business network.
  • Work with a local team to ensure that all Microsoft patching and ESET® virus definitions are up-to-date. A security module for automated Windows Server Update Services (WSUS) patching and virus definition management is provided to all accounts. Pyxis SupplyStation versions 8 and 9 have been upgraded to ESET.
  • If pcAnywhere is used and has not been upgraded to version 12.5 service pack 4, contact BD Customer Support (http://www.carefusion.com/customer-support/technical-support) to schedule an upgrade or to have it removed.
  • Customers should use the extended password feature configured for strong passwords, enable the password history tracking feature, and set user passwords to expire according to site policy.
  • Customers should work with BD to limit pcAnywhere remote sessions as much as possible to reduce exposure of the risk.
  • Customers should work with BD in explicitly establishing customer permission before any remote connection is attempted or established.
  • At the customer's request, pcAnywhere should be uninstalled.

For more information

For more information on product security associated with legacy Pyxis supply products, see:

http://www.carefusion.com/customer-support/microsoft-security-patches
http://www.carefusion.com/customer-support/alerts-and-notices

For more information on our proactive approach to product security and vulnerability management, view the BD product security and privacy statement.

Contact our Product Security Office if you have any questions.