New Cybersecurity and Infrastructure Security Agency alerts show BD has disclosed two types of vulnerabilities found in certain Pyxis and Synapsis medical devices. The flaw found in Pyxis products are ranked 8.8 in severity and should be prioritized by provider entities.

The “not using password aging” vulnerability is found in a range of BD Pyxis automated medication dispensing systems, including ES. CIISafe, Logistics, MedBank, MedStation, ParAssist, Rapid Rx, StockStation, and several other models.

The CVE-2022-22767 flaw can be remotely exploited with low complexity, which could enable an attacker to access the electronic protected health information or other sensitive information stored on the device, or use the access to gain privileged account access to the underlying file system.

Specifically, the vulnerability is caused by default credentials installed on the impacted products that “may still operate” with the credentials in use. In additional scenarios, some BD Pyxis products have the same default local operating system credentials or domain-joined server credentials installed, which may be shared across product types. 

BD is currently working to strengthen its credential management capabilities in the impacted products, while working with healthcare clients to “whose domain-joined server(s) credentials require updates.” The company is also piloting a solution that targets the vulnerabilities found in these Pyxis products to improve authentication management for local system credentials.

Further, BD is evaluating possible remediations that focus on needed changes to installation, upgrade, or to applications.

For now, provider organizations are being urged to apply compensating controls to protect the impacted devices, such as limiting physical access to authorized personnel, tightly controlling system password management, monitoring and logging network traffic, and isolating the impacted devices behind a secure VLAN or behind firewalls.

The second CISA alert refers to a flaw found in versions 4.20, 4.20 SR1, and 4.30 of BD Synapsis workstations, which has a 5.7 ranking in severity. The flaw is caused by an insufficient session expiration. 

An attacker would have to physically breach the workstation with a specific “sequence of events that must occur in a specific order.” But if successful, an actor would be able to modify the patient information and cause delayed or incorrect treatment.

BD responsibly disclosed these vulnerabilities to CISA, a crucial part in securing the complicated medical device ecosystem in healthcare. The company will release a software update to remediate the Synapsis flaw in June for certain versions and in August, for the remaining products.

Until then, it’s recommended that entities apply compensating controls for the impacted products, including configuring the inactivity session timeout to match the session expiration timeout, applying physical access controls, and placing reminders at each computer to logout or lock workstations when they leave the device.