This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively supported. This has been remediated in the latest software release.
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Vulnerability disclosure is an essential component to BD's approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of BD Pyxis™ ES system. The contents of this notification will be disclosed publicly on the BD Product Security website ( http://www.bd.com/productsecurity) and is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
Products in Scope
This notification applies to the BD Pyxis™ ES system products listed below for customers whose products are connected directly to a hospital domain and utilize Microsoft's Active Directory:
- BD Pyxis™ ES suite of products, versions 1.3.4 through 1.6.1
- BD Pyxis™ Enterprise Server, Windows Server 4.4 through 4.12
This vulnerability has been remediated in the latest release, 188.8.131.52
BD has confirmed a vulnerability that may allow a user with expired credentials to retain previously provided permissions and be able to perform the same action(s) as when this user was still active in certain BD Pyxis™ ES system products whose products are connected directly to a hospital domain and utilize Active Directory.
- Users with expired credentials may be able to log into affected BD Pyxis™ ES products
- Users with expired credentials may be able to log into the BD Pyxis™ Enterprise Server web page
Utilizing expired credentials could potentially allow for users to obtain access to patient data and medication. These actions are only possible when the BD Pyxis™ ES products and BD Pyxis™ Enterprise Server web page are connected to the hospitals' domain, which is a rare configuration. Connecting devices, rather than servers, to a hospital domain is an uncommon configuration for dispensing cabinets. Customers who do not utilize Active Directory, are not impacted by this vulnerability.
To exploit this vulnerability on BD Pyxis™ ES suite of products, a malicious attacker must bypass physical controls to obtain physical access to the hospital, physical access to the devices impacted and utilize expired Active Directory credentials.
To exploit this vulnerability on BD Pyxis™ Enterprise Server, a malicious attacker must obtain access to a hospital network and utilize expired Active Directory credentials.
BD is not aware of any instances in which patient data was viewed, without authorization, due to this vulnerability.
Clinical Risk Assessment and Patient Safety Impact
This vulnerability has been assessed for clinical impact by BD and represents an unanticipated potential of diversion with traceability based on the hazard analysis and risk evaluation. The automated dispensing cabinets would need to be joined to the hospital domain. Any access by an expired user would be logged appropriately by the system and is viewable in all available reporting.
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
i.e. 7.6 High CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Rationale: The BD Pyxis™ Enterprise Server can potentially be accessed across the local hospital network, resulting in an attack vector of adjacent. The attack complexity is low as all that is required is the act of logging in using previously expired credentials. Privileges are required in that the attacker would need to be in the hospital’s active directory. The impact on confidentiality and integrity are high as the system houses sensitive patient data and users may be able to perform the same action(s) as when this user was still active. Availability impact is low as an attacker would not have access to the underlying data storage constructs.
Mitigations & Compensating Controls
While this vulnerability has been remediated in the latest software release, 184.108.40.206, BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- Remove expired users from the relevant Active Directory role that grants access to the BD Pyxis™ ES system
- Do not place BD Pyxis™ ES systems on the hospital domain
- As a best practice, customers should not rely on expiration dates to remove users from their hospitals' Active Directory system.
BD has created a remediation which removes accessibility to the SMB network share. Further details, including implementation of the remediation, will be provided within 60 days of this original update.
Original BD Publication Date: 09/5/2019
For More Information
For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for BD Pyxis™ ES system
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD