This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to products that are actively supported.
BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in products in a timely fashion. Vulnerability disclosure is an essential component to BD’s approach to transparency by enabling customers to properly manage risk through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of BD Pyxis™ ES system. The contents of this notification will be disclosed publicly on the BD Product Security website ( http://www.bd.com/productsecurity) and is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency ICS-CERT) and the Health Information Sharing and Analysis Center (H-ISAC).
Products in Scope
Begin Update A: September 17, 2019
BD has clarified the versions referenced in the original security bulletin communication based on our ongoing internal assessments for further clarity and accuracy. This update does not increase the number of customers impacted.
End Update A: September 17, 2019
This notification applies to the BD Pyxis™ ES system products listed below for customers whose products are connected directly to a hospital domain and utilize an outdated version of Microsoft’s Active Directory Domain Controller set to a functional level of 2008 or 2008R2 (or older) for user authentication:
- BD Pyxis™ ES suite of products, versions 1.3.4 through 1.5.3
- BD Pyxis™ Enterprise Server, Windows Server 4.4 through 4.12
BD has been unsuccessful in reproducing this issue since initially testing and reproducing it earlier in the year. Although BD has not been able to reproduce the vulnerability with a fully patched Microsoft Active Directory controller set to an outdated functional level of 2008/2008 R2, BD recommends that customers upgrade their Microsoft Active Directory Services Domain Controller to a functional level of 2012 or higher. No upgrades of BD Pyxis™ ES suite of products is required to address this vulnerability.
This vulnerability may allow a user with expired credentials to retain previously provided permissions and be able to perform the same action(s) as when this user was still active in certain BD Pyxis™ ES system products whose products are joined to a hospital domain and utilize an outdated version of Active Directory Domain Controller.
- Users with expired credentials may be able to log into affected BD Pyxis™ ES products
- Users with expired credentials may be able to log into the BD Pyxis™ Enterprise Server web page
Utilizing expired credentials could potentially allow for users to obtain access to patient data and medication . These actions are only possible when the BD Pyxis™ ES products and BD Pyxis™ Enterprise Server web page are connected to the hospitals’ domain, and used in conjunction with an outdated version of Active Directory Domain Controller. Connecting devices, rather than servers, to a hospital domain is an uncommon configuration for dispensing cabinets. Customers who do not utilize Active Directory, are not impacted by this vulnerability.
To exploit this vulnerability on BD Pyxis™ ES suite of products, a malicious attacker must bypass physical controls to obtain physical access to the hospital network, physical access to the devices impacted and utilize expired Active Directory credentials.
To exploit this vulnerability on BD Pyxis™ Enterprise Server, a malicious attacker must obtain access to a hospital network and utilize expired Active Directory credentials.
BD is not aware of any instances in which patient data was viewed, without authorization, due to this vulnerability.
Clinical Risk Assessment and Patient Safety Impact
This vulnerability has been assessed for clinical impact by BD and represents an unanticipated potential of diversion with traceability based on the hazard analysis and risk evaluation. The automated dispensing cabinets would need to be joined to the hospital domain. Any access by an expired user would be logged appropriately by the system and is viewable in all available reporting.
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS) to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
i.e. 7.6 High CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Rationale: The BD Pyxis™ Enterprise Server can potentially be accessed across the local hospital network, resulting in an attack vector of adjacent. The attack complexity is low as all that is required is the act of logging in using previously expired credentials. Privileges are required in that the attacker would need to be in the hospital’s active directory. The impact on confidentiality and integrity are high as the system houses sensitive patient data and users may be able to perform the same action(s) as when this user was still active. Availability impact is low as an attacker would not have access to the underlying data storage constructs.
Mitigations & Compensating Controls
Previously, BD reported that this vulnerability was remediated in the latest software release. However, BD has been unsuccessful in reproducing this issue since initially testing and reproducing it earlier in the year.
- Although BD has not been able to reproduce the vulnerability with a fully patched Microsoft Active Directory controller set to an outdated functional level of 2008/2008 R2, BD recommends that: Customers upgrade their Microsoft Active Directory Services Domain Controller to a functional level of 2012 or higher.
- No upgrades of BD Pyxis™ ES suite of products is required to address this vulnerability.
Original BD Publication Date: 09/5/2019
Lat updated: 09/18/2019
For More Information
For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office: http://www.bd.com/productsecurity
Product Security Bulletin for BD Pyxis™ ES system
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
Franklin Lakes, NJ
© 2019 BD