Headline
CVE-2022-22766: BD Pyxis<sup>™</sup> Products - Hardcoded Credentials
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
Cybersecurity
About us
Trust center
Bulletins and patches
Vulnerability disclosures
Helpful resources
BD Pyxis™ Products - Hardcoded Credentials
This notification provides product security information and recommendations related to the use of hardcoded credentials in specific BD Pyxis™ products. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
Products in Scope
The product list below identifies existing BD Pyxis™ products that use hardcoded credentials. The list may be updated as more products are identified. Please check back periodically for updates.
BD Pyxis™ Anesthesia Station ES
BD Pyxis™ Anesthesia Station 4000
BD Pyxis™ CATO
BD Pyxis™ CIISafe
BD Pyxis™ Inventory Connect
BD Pyxis™ IV Prep
BD Pyxis™ JITrBUD
BD Pyxis™ KanBan RF
BD Pyxis™ Logistics
BD Pyxis™ Med Link Family
BD Pyxis™ MedBank
BD Pyxis™ MedStation™ 4000
BD Pyxis™ MedStation™ ES
BD Pyxis™ MedStation™ ES Server
BD Pyxis™ ParAssist
BD Pyxis™ PharmoPack™
BD Pyxis™ ProcedureStation™ (including EC)
BD Pyxis™ Rapid Rx
BD Pyxis™ StockStation
BD Pyxis™ SupplyCenter
BD Pyxis™ SupplyRoller
BD Pyxis™ SupplyStation™ (including RF, EC, CP)
BD Pyxis™ Track and Deliver
BD Rowa™ Pouch Packaging Systems
Vulnerability Details
- CVE-2022-22766 - Hardcoded credentials are used in specific BD Pyxis™ products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
The BD Pyxis™ device’s hardcoded credentials are not used directly by customers or end-users to access the system. The use of hardcoded credentials in BD Pyxis™ devices is documented in BD Product Security White Papers, which customers can request from the BD Cybersecurity Trust Center. BD Product Security White Papers detail how security and privacy practices have been applied and provide information to help customers safeguard product security throughout each product’s life cycle.
To exploit this vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate facility’s network and gain access to individual devices.
There have been no reports of this vulnerability being exploited in a clinical setting.
Vulnerability Score
- CVSS: 7.0 (High) CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Mitigations and Compensating Controls
BD is in the process of strengthening our credential management capabilities in BD Pyxis™ devices and is providing this information to increase awareness.
Additionally, BD recommends the following compensating controls for customers using BD Pyxis™ products that utilize the hardcoded credentials:
- Limit physical access to the device to only authorized personnel.
- Tightly control management of BD Pyxis™ system credentials provided to authorized users.
- Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
- Monitor and log all network traffic attempting to reach the affected products for suspicious activity.
- Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis™ Security Module for automated patching and virus definition management is provided to all accounts.
Additional Resources
For product- or site-specific concerns, contact your BD service representative.
Company
- Contact us
- BD code of conduct
- Careers
- Inclusion and diversity
- Sustainability
- Suppliers
- News
- Investors
- Video gallery
- External funding program
Support
- Technical support
- Product security and privacy
- Live chat
- Order status
- Customer portals
- Alerts and notices
- Electronic instructions for use
- COVID-19