Bulletins
HIGH
This notification provides product security information and recommendations related to the use of hardcoded credentials in specific BD Pyxis™ products. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
The product list below identifies existing BD Pyxis™ products that use hardcoded credentials. The list may be updated as more products are identified. Please check back periodically for updates.
- BD Pyxis™ Anesthesia Station ES
- BD Pyxis™ Anesthesia Station 4000
- BD Pyxis™ CATO
- BD Pyxis™ CIISafe
- BD Pyxis™ Inventory Connect
- BD Pyxis™ IV Prep
- BD Pyxis™ JITrBUD
- BD Pyxis™ KanBan RF
- BD Pyxis™ Logistics
- BD Pyxis™ Med Link Family
- BD Pyxis™ MedBank
- BD Pyxis™ MedStation™ 4000
- BD Pyxis™ MedStation™ ES
- BD Pyxis™ MedStation™ ES Server
- BD Pyxis™ ParAssist
- BD Pyxis™ PharmoPack™
- BD Pyxis™ ProcedureStation™ (including EC)
- BD Pyxis™ Rapid Rx
- BD Pyxis™ StockStation
- BD Pyxis™ SupplyCenter
- BD Pyxis™ SupplyRoller
- BD Pyxis™ SupplyStation™ (including RF, EC, CP)
- BD Pyxis™ Track and Deliver
- BD Rowa™ Pouch Packaging Systems
- CVE-2022-22766 - Hardcoded credentials are used in specific BD Pyxis™ products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
The BD Pyxis™ device’s hardcoded credentials are not used directly by customers or end-users to access the system. The use of hardcoded credentials in BD Pyxis™ devices is documented in BD Product Security White Papers, which customers can request from the BD Cybersecurity Trust Center. BD Product Security White Papers detail how security and privacy practices have been applied and provide information to help customers safeguard product security throughout each product's life cycle.
To exploit this vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate facility’s network and gain access to individual devices.
There have been no reports of this vulnerability being exploited in a clinical setting.
Vulnerability Score
- CVSS: 7.0 (High) CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BD is in the process of strengthening our credential management capabilities in BD Pyxis™ devices and is providing this information to increase awareness.
Additionally, BD recommends the following compensating controls for customers using BD Pyxis™ products that utilize the hardcoded credentials:
- Limit physical access to the device to only authorized personnel.
- Tightly control management of BD Pyxis™ system credentials provided to authorized users.
- Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
- Monitor and log all network traffic attempting to reach the affected products for suspicious activity.
- Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis™ Security Module for automated patching and virus definition management is provided to all accounts.
For product- or site-specific concerns, contact your BD service representative.