BD issued voluntary disclosures for a pair of hard-coded vulnerabilities in some of its medical devices: Pyxis and Viper LT, a BD Viper LT, an automated molecular testing system. (Photo credit by governortomwolf is licensed under CC BY 2.0)

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for the healthcare and public health sectors on vulnerabilities found in certain BD Pyxis and Viper LT products that could enable the access or modification of sensitive information.

The first is a severe flaw found in versions 2.0 and later of the BD Viper LT system, an automated specimen processing and integrated molecular testing tool. The device uses hard-coded credentials, which could allow an attacker to access, modify or delete device data, including protected health information and personally identifiable information.

CVE-2022-22765 is ranked 8.0 in severity and has a low attack complexity. The flaw is not exploitable remotely and there are currently no known public exploits specifically targeting it.

BD simultaneously issued an alert for another hard-coded vulnerability found in a long list of its Pyxis automated medication dispensing systems. A successful exploit could allow a threat actor to gain access to protected health information or other sensitive data. 

The flaw could enable “access to the underlying file system and exploit application files for information that could be used to decrypt application credentials or gain access” to sensitive information. The alert also notes that BD manages the credentials, which aren’t visible or used by customers to access the impacted devices.

CVE-2022-22766 has a 7.0 base score for severity.

BD's recommendations for voluntarily reported flaws

BD voluntarily reported these flaws to CISA and is currently working on remediating the hard-coded issues. The vendor intends the alert to raise awareness of the flaw and its recommended compensating controls for systems using hard-coded credentials.

Entities should make sure to implement physical access controls for the impacted Viper LT devices, while ensuring only authorized end-users can access the impacted systems. Where applicable, the system should be disconnected from network access. If access is necessary, entities should use standard network security policies and procedures.

BD recommends entities secure the impacted BD Pyxis products by using compensating user controls, including limiting physical access to authorized personnel, tightly controlling the management of system credentials, isolating the impacted devices, and monitoring traffic.

Entities are encouraged to work with the vendor or recommended remediation steps and to ensure all patching and virus definitions are up to date. Disclosures are critical to the healthcare sector’s ability to maintain the security of highly complex medical device security infrastructures. While challenging, working with the vendor directly on best practices can expedite the process.