Dive Brief:
- The Department of Homeland Security on Tuesday issued its fifth cybersecurity alert about Becton Dickinson's Pyxis medication dispensing machines in as many years.
- In the latest notice, the DHS’s Cybersecurity and Infrastructure Security Agency describes the lack of password aging as a weakness that could give an attacker access to electronic protected health information. DHS scored the vulnerability as 8.8 on a 10-point scale.
- BD, which voluntarily reported the vulnerability, is working with users whose credentials need updating while piloting a new system that is intended to improve authentication management.
Dive Insight:
The DHS has posted one notice about the Pyxis device each year from 2018 to 2020. While no new vulnerabilities emerged last year, two alerts were given in 2022 with the latest coming weeks after the department flagged a risk related to the use of hard-coded credentials after being told about the problem by BD.
The latest notice stems from the fact that some Pyxis products may still operate with their default credentials. Multiple products may have the same default credentials that are shared across product types, potentially opening a door through which an attacker could gain privileged access to the file system.
BD set out what the vulnerability means in practice in an emailed statement on Tuesday.
“The default credentials in BD Pyxis devices are primarily managed by BD support personnel. To exploit this vulnerability, an unauthorized user would have to gain access to the default credentials, infiltrate a facility’s network and gain access to individual devices and/or servers. If exploited, an unauthorized user may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to electronic protected health information or other sensitive information,” the company said in the statement.
There are no known public exploits that specifically target the vulnerability and BD is working to address the problem, it added.
Service personnel now are working to update domain-joined server credentials as needed. The company also noted it's piloting “a credential management solution initially targeted for specific BD Pyxis product versions and will allow for improved authentication management practices with specific local operating system credentials.” Installation, upgrade and application remediations are under evaluation.
While working on a fix, BD said it's advising users to ensure only authorized personnel have physical access, “tightly control management of system passwords provided to authorized users,” log network traffic and isolate affected products in a secure virtual local area network or behind firewalls with restricted access.