Security researchers found 1,418 remotely exploitable flaws in CareFusion’s Pyxis SupplyStation medical dispensing system. 715 of those vulnerabilities in “automated supply cabinets used to dispense medical supplies” have a severity rating of high or critical.
The Pyxis SupplyStation system is a “secure storage device” for medical supplies that documents supply usage and interfaces with software to bill the patient. The vulnerabilities can be exploited remotely and exploits for targeting the flaws are publicly available, the ICS-CERT advisory notes. Wait, it gets “better” as it apparently would not require a l33t hacker to exploit the medical system. ICS-CERT noted, “An attacker with low skill would be able to exploit many of these vulnerabilities.”
The flaws in the Pyxis SupplyStation system, a product made by CareFusion – a subsidiary of Becton, Dickinson and Company (BD) – were found by security researchers Billy Rios and Mike Ahmadi. Ahmadi summarized, “There are 6 affected CareFusion products, with a total of 1,418 vulnerabilities present in 7 different third-party vendor software packages.”
“The Pyxis SupplyStation systems include automated devices that may be deployed using a variety of functional configurations,” explained ICS-CERT. “The Pyxis SupplyStation systems have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility’s existing information systems.”
There are numerous Pyxis software versions affected (8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3) running on Server 2003 or XP, but since those versions are running end-of-life software, “a patch will not be provided.”
Version 8.1.3 of the Pyxis SupplyStation system, last updated around April 2010, was tested and determined to contain 1,418 vulnerabilities that are present in 7 different third-party vendor software packages, spread across 86 different files. The breakdown of the 1,418 vulnerabilities by CVSS score is as follows:
715 vulnerabilities were identified as having a CVSS base score of 7.0-10.0,
606 vulnerabilities were identified as having a CVSS base score of 4.0-6.9, and
97 vulnerabilities were identified as having a CVSS base score of 0-3.9.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system,” the advisory warned. “The SupplyStation system is designed to maintain critical functionality and provide access to supplies in ‘fail-safe mode’ in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable.”
Ahmadi first sent notification of the vulnerabilities to the FDA, he said, which sent the report on to DHS ICS-CERT. While communicating with ICS-CERT and CareFusion, Ahmadi said he was impressed that CareFusion – now BD – “did not deny any of the vulnerabilities existed, and also offered up all affected systems, voluntarily for use in the advisory.”
Ahmadi said it is important to note “that the issues are in the third-party packages, which we have been preaching about for the last several years. Up to 90% of the software used in development today is third-party.”
The 1,418 bugs are present in seven third-party software packages including Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.
CareFusion is attempting to contact affected customers and advising them to upgrade. Otherwise, ICS-CERT has the list of CareFusion’s suggested mitigations for customers using legacy operating systems.