Zffoto - stock.adobe.com
BD, CISA Warn of Medical Device Security Vulnerabilities in BD Synapsys, Pyxis Devices
BD disclosed medical device security vulnerabilities in certain Synapsys and Pyxis devices that have low attack complexity and could result in PHI exposure if exploited.
Becton, Dickinson and Company (BD) disclosed two medical device security vulnerabilities found in certain Synapsys and Pyxis devices. The Pyxis vulnerabilities (CVE-2022-22767) received a CVSS score of 8.8, and the Synapsys vulnerabilities (CVE-2022-30277) received a score of 5.7, the Cybersecurity and Infrastructure Security Agency (CISA) reported in its advisories.
BD Pyxis products are automated medication dispensing systems. If certain BD Pyxis products were exploited, an attacker may be able to gain access to electronic protected health information (ePHI), CISA stated.
“Specific BD Pyxis products were installed with default credentials and may still operate with these credentials,” CISA continued.
“There may be scenarios where BD Pyxis products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. Threat actors could exploit this vulnerability to gain privileged access to the underlying file system and exploit or gain access to ePHI or other sensitive information.”
BD is actively working on strengthening credential management capabilities and is piloting a credential management solution targeted for specific BD Pyxis products.
In the meantime, BD also recommended that users of BD Pyxis products with default credentials take the following actions:
- Limit physical access to only authorized personnel.
- Tightly control management of system passwords provided to authorized users.
- Monitor and log network traffic attempting to reach the affected products for suspicious activity.
- Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks, when needed.
The BD Synapsys vulnerability impacts versions 4.20, 4.20 SR1, and 4.30. The vulnerability stems from an insufficient session expiration.
“An unauthorized physical breach of a BD Synapsys workstation would be negligible due to the sequence of events that must occur in a specific order, however successful exploitation could lead to modification of ePHI, PHI, or PII. The result could cause delayed or incorrect treatment,” the advisory stated.
Successful exploitation could allow an attacker to access, delete, or modify sensitive information, including ePHI.
BD recommended that users working with the impacted versions implement the following compensating controls:
- Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
- Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
- Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
- Ensure industry standard network security policies and procedures are followed.
CISA urged organizations to employ proper impact analyses and risk assessments before deploying defensive security measures.