Becton Dickinson (BD) identified a vulnerability in Pyxis drug dispensing cabinets that could enable an unauthorized person to access patient information and medications using outdated credentials.
BD reported the vulnerability to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). An advisory about this vulnerability has been issued by ICS-CERT.
The vulnerability impacts the following:
- Pyxis ES versions 1.3.4 to 1.6.1
- Pyxis Enterprise Server having Windows Server versions 4.4 to 4.12.
The CVE-2019-13517 vulnerability is a defect in session fixation wherein active access privileges aren’t correctly matched up with the expiration of access whenever a vulnerable device is connected to an Active Directory (AD) domain
What this means is that the credentials of a formerly authenticated user may be employed to access a vulnerable device in particular configurations. This will enable an attacker to have the same access privileges just as the authenticated user so that he could access patient data and medications. This vulnerability won’t affect healthcare providers that have not used an AD with the devices.
The vulnerability has an assigned CVSS V3 base rating of 7.6 out of 10. ICS-CERT gave an advisory that an attacker with a low level of skill can remotely exploit the vulnerability. However, BD remarks that linking the drug cabinets to hospital domains is not common and is not advisable. Therefore, only a few hospitals using drug carts are going to be impacted.
New software with v 1.6.1.1 has been released to address the vulnerability. It eliminates access to the file-sharing component of the Pyxis network.
BD recommends that the following mitigations be implemented by the affected healthcare providers to minimize the risk related to the vulnerability:
- Do not depend on expiration dates when removing users from the Active Directory system of the hospital
- Remove from the AD users with roles given access to the Pyxis ES program
- Do not put Pyxis ES systems on the domain of the hospital
- BD did not know of any incidents where someone exploited the vulnerability to access information with no authorization.