Skip to main content

BD Pyxis MedStation and Pyxis Anesthesia Improper Access Vulnerability

BD has released details of a protection mechanism failure vulnerability affecting their MedStation ES and Anesthesia ES automated dispensing systems. They claim that a physical user could exploit this vulnerability to escape restricted environments.

Threat ID:
CC-3415
Category:
Threat Severity:
Low
Threat Vector:
Published:
2 April 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

BD has released details of a protection mechanism failure vulnerability affecting their MedStation ES and Anesthesia ES automated dispensing systems. They claim that a physical user could exploit this vulnerability to escape restricted environments.

Affected platforms

The following platforms are known to be affected:

  • Pyxis Anesthesia (PAS) ES System - Version 1.6.1 and earlier
  • Pyxis MedStation ES System - Versions 1.6.1 and earlier

Threat details

The vulnerability is a result of the systems' 'kiosk mode' functionality not properly restricting inputs from users on the system. An attacker can then craft malicious inputs to enable a local breakout, at which point they are able to access sensitive patient or system data.

For further information:

Remediation steps

Type Step

BD has confirmed they are creating an update to address this vulnerability in the affected products. Affected organisations are encouraged to review BD's security advisory and contact their relevant suppliers to apply any updates as they become available.

The following mitigation steps can also be applied in the meantime:

  • Limit physical access of the Pyxis Medstation ES and Anesthesia (PAS) ES System to only authorized users.
  • Isolate impacted systems and only connect them to trusted systems.
  • Monitor and investigate unplanned reboots of systems using network monitoring tools provided by IT departments.

CVE Vulnerabilities

Status

CVE-2020-10598

Last edited: 29 June 2021 12:01 pm