Researchers have discovered over 1,400 vulnerabilities in the third-party software packages of an automated medical supply cabinet.
It wasn’t unusual for the duo to find ten or more vulnerabilities in the medical devices they scanned, but in one particular instance, Ahmadi and Rios uncovered 1,418 unique issues.
An advisory issued by the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identifies the vulnerable product as the CareFusion Pyxis SupplyStation System, an automated medical supply cabinet which dispenses medical devices and documents usage in real-time.
Each system consists of separate units located throughout a medical center that are connected together by the Pyxis SupplyCenter server, which in turn links to a facility’s information systems.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system,” the advisory warns. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”
Six software versions of the CareFusion Pyxis SupplyStation are affected by the vulnerabilities. All susceptible versions are end-of-life and run on Windows Server 2003/XP.
Ahmadi and Rios ultimately located the security issues, more than half of which (715) received a CVSS base score of 7.0 - 10.0, in the third-party components for the system’s software. Those include BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9, and Symantec pcAnywhere 10.5.
Following their discovery, the two researchers reported their find to the Food and Drug Administration (FDA), which in turn sent the report to ICS-CERT.
Becton Dickinson (BD), the new owner of CareFusion, has since been alerted to the vulnerabilities and has cooperated with the researchers to provide information for the ICS-CERT advisory.
Additionally, BD has developed an upgrade option to help customers migrate to the latest Pyxis SupplyStation platform.
With the knowledge that some organizations might not be able to do so, it has come up with a number of compensating measures, including isolating affected products from the internet, using VPNs when remote access is required, and closing all unused ports.
If you are a customer whose Pyxis SupplyStation system is vulnerable, please upgrade now. If that is impossible, refer to BD’s alert for more defensive measures you can use to reduce the risk of exploitation of these vulnerabilities.