BD Use of Hard-coded Credentials Vulnerabilities in Viper LT and Pyxis Product Lines

Becton, Dickinson and Company (BD) reported use of hard-coded credential vulnerabilities in Viper LT products, their automated molecular testing system, and Pyxis products, their automated medication dispensing system.

Threat ID:: CC-4046
Threat Severity:: Low
Published:: 4 March 2022 12:18 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 2.0 and later

BD Viper LT system

BD Pyxis

BD Pyxis Anesthesia Station ES
BD Pyxis Anesthesia Station 4000
BD Pyxis CATO
BD Pyxis CIISafe
BD Pyxis Inventory Connect
BD Pyxis IV Prep
BD Pyxis JITrBUD
BD Pyxis KanBan RF
BD Pyxis Logistics
BD Pyxis Med Link Family
BD Pyxis MedBank
BD Pyxis MedStation 4000
BD Pyxis MedStation ES
BD Pyxis MedStation ES Server
BD Pyxis ParAssist
BD Pyxis PharmoPack
BD Pyxis ProcedureStation (including EC)
BD Pyxis Rapid Rx
BD Pyxis StockStation
BD Pyxis SupplyCenter
BD Pyxis SupplyRoller
BD Pyxis SupplyStation (including RF, EC, CP)
BD Pyxis Track and Deliver
BD Rowa Pouch Packaging Systems

Threat details

Introduction

Becton, Dickinson and Company (BD) have reported that two of their product lines have use of hard-coded credentials vulnerabilities. There are no reports of these vulnerabilities being exploited in a clinical setting.

The vulnerability known as CVE-2022-22765 affects the BD Viper LT system and has a CVSSv3 score of 8.0. To exploit this vulnerability, an attacker would need physical or network access and be able to bypass additional security control before they could access, modify, or delete sensitive patient information.

The vulnerability known as CVE-2022-22766 affects BD Pyxis products and has a CVSSv3 score of 7.0. To exploit this vulnerability, an attacker would need to gain access to the hard-coded credentials and network access to the devices before gaining control of the underlying file system. With control of the file system, the attacker could decrypt application credentials or gain access to sensitive health information.

Remediation advice

Affected organisations should read relevant CISA advisories and BD Bulletins listed in the steps below.

A fix is expected in version 4.80 of an upcoming BD Viper LT system software update. In addition, BD recommends the following compensating controls for users of the BD Viper LT systems that utilize hard-coded credentials:

Ensure physical access controls are in place and only authorized end-users have access to the BD Viper LT system.
Disconnect the BD Viper LT system from network access, where applicable.
If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed.

BD recommends the following for BD Pyxis devices:

Limit physical access to the device to only authorized personnel.
Tightly control management of BD Pyxis system credentials provided to authorized users.
Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
Monitor and log all network traffic attempting to reach the affected products for suspicious activity.
Work with a BD support team to ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts.

Remediation steps

Type	Step
Guidance	BD Viper LT system – Hardcoded Credentials https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-hardcoded-credentials
Guidance	ICS Medical Advisory (ICSMA-22-062-02) BD Viper LT https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02
Guidance	BD Pyxis Products - Hardcoded Credentials https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-hardcoded-credentials
Guidance	ICS Medical Advisory (ICSMA-22-062-01) BD Pyxis https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-22765

BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.

Status Published

CVE-2022-22766

Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.

Last edited: 4 March 2022 2:19 pm