Not Using Password Aging in BD Pyxis
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-22767 |
| CWE-ID | CWE-262 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
(BD) Pyxis ES Anesthesia Station Hardware solutions / Medical equipment (BD) Pyxis CIISafe Hardware solutions / Medical equipment (BD) Pyxis Logistics Hardware solutions / Medical equipment (BD) Pyxis MedBank Hardware solutions / Medical equipment (BD) Pyxis MedStation 4000 Hardware solutions / Medical equipment (BD) Pyxis MedStation ES Hardware solutions / Medical equipment (BD) Pyxis MedStation ES Server Hardware solutions / Medical equipment (BD) Pyxis ParAssist Hardware solutions / Medical equipment (BD) Pyxis Rapid Rx Hardware solutions / Medical equipment (BD) Pyxis StockStation Hardware solutions / Medical equipment (BD) Pyxis SupplyCenter Hardware solutions / Medical equipment (BD) Pyxis SupplyRoller Hardware solutions / Medical equipment (BD) Pyxis SupplyStation Hardware solutions / Medical equipment (BD) Pyxis SupplyStation EC Hardware solutions / Medical equipment (BD) Pyxis SupplyStation RF auxiliary Hardware solutions / Medical equipment (BD) Rowa Pouch Packaging Systems Hardware solutions / Medical equipment |
| Vendor | Becton, Dickinson and Company (BD) |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Not Using Password Aging
EUVDB-ID: #VU63899
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-22767
CWE-ID:
CWE-262 - Not Using Password Aging
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected products are installed with default credentials and may still operate with these credentials. A remote attacker on the local network can gain privileged access to the underlying file system and gain access to ePHI or other sensitive information.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions(BD) Pyxis ES Anesthesia Station: All versions
(BD) Pyxis CIISafe: All versions
(BD) Pyxis Logistics: All versions
(BD) Pyxis MedBank: All versions
(BD) Pyxis MedStation 4000: All versions
(BD) Pyxis MedStation ES: All versions
(BD) Pyxis MedStation ES Server: All versions
(BD) Pyxis ParAssist: All versions
(BD) Pyxis Rapid Rx: All versions
(BD) Pyxis StockStation: All versions
(BD) Pyxis SupplyCenter: All versions
(BD) Pyxis SupplyRoller: All versions
(BD) Pyxis SupplyStation: All versions
(BD) Pyxis SupplyStation EC: All versions
(BD) Pyxis SupplyStation RF auxiliary: All versions
(BD) Rowa Pouch Packaging Systems: All versions
CPE2.3- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_es_anesthesia_station:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_ciisafe:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_logistics:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_medbank:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_medstation_4000:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_medstation_es:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_medstation_es_server:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_parassist:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_rapid_rx:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_stockstation:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_supplycenter:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_supplyroller:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_supplystation:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_supplystation_ec:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_pyxis_supplystation_rf_auxiliary:*:*:*:*:*:*:*:*
- cpe:2.3:h:becton_dickinson_and_company_bd:_bd_rowa_pouch_packaging_systems:*:*:*:*:*:*:*:*
http://ics-cert.us-cert.gov/advisories/icsma-22-151-01
http://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
