Bulletins
HIGH
This notification provides product security information and recommendations related to the use of default credentials in specific BD Pyxis™ products. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (HISAC).
The product list below identifies existing BD Pyxis™ products that may use default credentials.
- BD Pyxis™ Anesthesia Station ES
- BD Pyxis™ CIISafe
- BD Pyxis™ Logistics
- BD Pyxis™ MedBank
- BD Pyxis™ MedStation™ 4000
- BD Pyxis™ MedStation™ ES
- BD Pyxis™ MedStation™ ES Server
- BD Pyxis™ ParAssist
- BD Pyxis™ Rapid Rx
- BD Pyxis™ StockStation
- BD Pyxis™ SupplyCenter
- BD Pyxis™ SupplyRoller
- BD Pyxis™ SupplyStation™
- BD Pyxis™ SupplyStation™ EC
- BD Pyxis™ SupplyStation™ RF auxiliary
- BD Rowa™ Pouch Packaging Systems
CVE-2022-22767 - Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate a facility’s network, and gain access to individual devices and/or servers.
The default credentials are primarily managed by BD support personnel. In cases where customers have domain-joined servers, BD support personnel will work with customer representatives to jointly manage credentials.
The use of default credentials in BD Pyxis™ devices is documented in BD Product Security White Papers, which customers can request from the BD Cybersecurity Trust Center. BD Product Security White Papers detail how security and privacy practices have been applied and provide information to help customers safeguard product security throughout each product's life cycle.
- CVSS: 8.8 (High) CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rationale: Adjacent access is required to exploit this vulnerability, meaning the attack needs to be initiated from the same shared physical or logical network. The attack complexity is low and is based on access to default credentials still in use. The scope is considered unchanged as this vulnerability is specific to only the impacted application. The vulnerability has a high impact on confidentiality, integrity and availability as specific default credentials potentially allow threat actors to gain privileged access to specific devices.
BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates.
BD is currently piloting a credential management solution that is initially targeted for specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediations.
Additionally, BD recommends the following compensating controls for customers using BD Pyxis™ products that utilize default credentials:
- Limit physical access to only authorized personnel.
- Tightly control management of system passwords provided to authorized users.
- Monitor and log network traffic attempting to reach the affected products for suspicious activity.
- Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
- Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.
For product- or site-specific concerns, contact your BD service representative.