Security Experts:

1,400 Flaws Found in Outdated CareFusion Medical Systems

Researchers discovered that old versions of CareFusion’s Pyxis SupplyStation system are plagued by more than 1,400 vulnerabilities that can be remotely exploited by malicious actors.

CareFusion, a subsidiary of global medical technology firm BD (Becton, Dickinson and Company), specializes in solutions designed for reducing medication errors and prevention of healthcare-associated infections. The Pyxis SupplyStation product is a healthcare inventory management system that automatically dispenses medical supplies and documents usage in real-time.CareFusion Pyxis SupplyStation

Using automated software analysis tools, researchers Billy Rios and Mike Ahmadi discovered that legacy versions of Pyxis SupplyStation are plagued by 1,418 vulnerabilities. More precisely, the flaws exist in seven different third-party software packages used by the CareFusion product.

The list of third-party components plagued by security holes includes BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.

Of the total number of vulnerabilities, 715 are high severity issues (CVSS score between 7.0 and 10), 606 have been rated “medium severity” (CVSS score between 4.0 and 6.9), and the rest are low severity flaws.

While the vulnerabilities can be remotely exploited to compromise affected Pyxis SupplyStation products, ICS-CERT noted in an advisory that the system is designed to maintain critical functionality and provide access to medical supplies even if it’s rendered inoperable.

“These vulnerabilities have also been assessed for clinical impact by BD and DHS and represent little to no risk to patient safety,” BD wrote in its own advisory.

The affected product versions, all of which have reached end of life (EOL), are Pyxis SupplyStation 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 running on Windows Server 2003 and Windows XP. Versions 9.3, 9.4 and 10 operating on Windows Server 2008, Server 2012 and Windows 7 are not impacted by the security bugs.

The vendor has advised customers to upgrade legacy systems to the latest version of the platform. CareFusion customers who don’t want to upgrade the product can protect themselves against potential attacks by following a series of recommendations provided by the vendor.

Mitigation advice includes isolating affected systems from the Internet, using VPNs where remote access is required, monitoring network traffic for suspicious activity, closing unused ports, and protecting devices with firewalls.

Related: Learn More at the ICS Cyber Security Conference

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.