BD Pyxis™ MedStation™ and Anesthesia (PAS) ES System Kiosk Mode Escape

Background

This notification is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs).

It applies to products that are actively supported.

BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues related to BD products in a timely fashion. Vulnerability disclosure is an essential component of BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of BD Pyxis ES MedStation and Anesthesia (PAS) ES System. The contents of this notification will be disclosed publicly on the BD Product Security website. For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).

Products in Scope

This notification applies to the following systems:

  • Pyxis™ MedStation ES System, v. 1.6.1
  • Pyxis™ Anesthesia (PAS) ES System, v. 1.6.1

Note: Versions of these products may be updated as necessary if new information becomes available.

Vulnerability Details

BD has been made aware that an unauthorized user may be able to bypass kiosk mode of the Pyxis™ MedStation and Pyxis™ Anesthesia (PAS) ES System. If exploited, an unauthorized user could potentially view and/or modify sensitive data.

BD has not received any reports of this vulnerability being exploited.

Clinical Risk Assessment and Patient Safety Impact

This vulnerability has been assessed by BD for potential clinical impact. Based on the risk evaluation, the probability of harm is low, considering an unauthorized user would need physical access to the system to escape kiosk mode. The medical benefit for continued use of the systems outweighs the risks associated with this vulnerability.

Product Security Risk Assessment and Vulnerability Score

BD has assessed the following vulnerability using the Common Vulnerability Scoring System (CVSS) version 3.1 https://www.first.org/cvss/

Escaping kiosk mode

6.8 (Medium) AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Rationale: Physical access to the system is a prerequisite for the attack to occur. The attack complexity is low; thus, a user would not need specialized access conditions and/or extenuating circumstances for a successful attack to occur. User interaction and user privileges are not required to exploit. The scope of a potential attack would not change, and this vulnerability may have a high impact on the confidentiality, integrity and availability of the system.

Mitigations & Compensating Controls

BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:

  • Limit physical access of the Pyxis™ Medstation™ ES and Anesthesia (PAS) ES System to only authorized users.
  • Isolate impacted systems and only connect them to trusted systems.
  • Monitor and investigate unplanned re-boots of systems using network monitoring tools provided by customer IT departments

Additionally, BD is in the process of deploying a security update that strengthens kiosk mode to limit currently known methods of kiosk escape in Pyxis™ MedStation™ and Pyxis™ Anesthesia (PAS) ES System versions 1.6.1. Access to tools for viewing or manipulating local resources will be restricted.

Original Publication date: March 31, 2020

Last Updated: March 31, 2020

Additional Resources

For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office:

http://www.bd.com/productsecurity
March 2020
Product Security Bulletin for Pyxis™ MedStation and Pyxis™ Anesthesia (PAS) ES System

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.

BD
Franklin Lakes, NJ
07417

Download a PDF of this notice here

Do you like this? Share it:English