Becton, Dickinson and Company (BD) found a medium severity vulnerability in the BD Pyxis MedStation medication dispensing system version 1.6.1 and in the anesthesia carts Pyxis Anesthesia (PAS) ES System. An attacker who exploits the vulnerability could gain access to sensitive information.
BD devices utilize a software app implementation known as kiosk mode. During kiosk mode, prohibitions are all set limiting the things that could be executed. The vulnerability, a protection mechanism failure (CWE-693), can make it possible for an attacker to evade the constrained desktop setting, which will permit the access and alteration of sensitive data.
An attacker with a low level of skill can exploit the vulnerability, however, exploitation requires the attacker to have physical access to a vulnerable device. BD has done a risk assessment and confirmed a low risk of exploitation. Therefore, the vulnerability’s assigned CVSS v3 base score is 6.8 out of 10.
BD is actively evaluating its products to determine security vulnerabilities. The firm operates with openness and conveys security concerns to clients promptly to permit them to take the appropriate steps to properly deal with the risk. Although the vulnerability can possibly bring about data disclosure, because of a low probability of exploitation, customers were urged not to stop usage as the advantages of using the devices offset the risk.
Currently, BD is implementing an update for vulnerable products that will reinforce kiosk mode so that it would be more difficult to use kiosk escape. Until such time that an update is implemented to vulnerable devices, mitigations recommended by BD will help control exploitation. Hospitals utilizing the vulnerable devices must allow authorized personnel only to physically access the devices. Affected systems must be separated and the connection should only be with trusted systems. Unexpected reboots of the devices must be monitored using network tracking tools.