Bulletins
MEDIUM
This notification is voluntary reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively supported.
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues related to BD products in a timely fashion. Vulnerability disclosure is an essential component of BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of BD Pyxis ES MedStation and Anesthesia (PAS) ES System. The contents of this notification will be disclosed publicly on the BD Product Security website. For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
This notification applies to the following systems:
- Pyxis™ MedStation ES System, v. 1.6.1
- Pyxis™ Anesthesia (PAS) ES System, v. 1.6.1
Note: Versions of these products may be updated as necessary if new information becomes available.
BD has been made aware that an unauthorized user may be able to bypass kiosk mode of the Pyxis™ MedStation and Pyxis™ Anesthesia (PAS) ES System. If exploited, an unauthorized user could potentially view and/or modify sensitive data.
BD has not received any reports of this vulnerability being exploited.
This vulnerability has been assessed by BD for potential clinical impact. Based on the risk evaluation, the probability of harm is low, considering an unauthorized user would need physical access to the system to escape kiosk mode. The medical benefit for continued use of the systems outweighs the risks associated with this vulnerability.
BD has assessed the following vulnerability using the Common Vulnerability Scoring System (CVSS) version 3.1 https://www.first.org/cvss/
Escaping kiosk mode
6.8 (Medium) AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rationale: Physical access to the system is a prerequisite for the attack to occur. The attack complexity is low; thus, a user would not need specialized access conditions and/or extenuating circumstances for a successful attack to occur. User interaction and user privileges are not required to exploit. The scope of a potential attack would not change, and this vulnerability may have a high impact on the confidentiality, integrity and availability of the system.
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- Limit physical access of the Pyxis™ Medstation™ ES and Anesthesia (PAS) ES System to only authorized users.
- Isolate impacted systems and only connect them to trusted systems.
- Monitor and investigate unplanned re-boots of systems using network monitoring tools provided by customer IT departments
Additionally, BD is in the process of deploying a security update that strengthens kiosk mode to limit currently known methods of kiosk escape in Pyxis™ MedStation™ and Pyxis™ Anesthesia (PAS) ES System versions 1.6.1. Access to tools for viewing or manipulating local resources will be restricted.
Original Publication date: March 31, 2020
Last Updated: March 31, 2020
For more information on BD’s proactive approach to product security and vulnerability management, contact our Product Security Office:
http://www.bd.com/productsecurity
March 2020
Product Security Bulletin for Pyxis™ MedStation and Pyxis™ Anesthesia (PAS) ES System
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
BD
Franklin Lakes, NJ
07417
Download a PDF of this notice here
Do you like this? Share it:English