Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

1,400 Flaws Found in Outdated CareFusion Medical Systems

Researchers discovered that old versions of CareFusion’s Pyxis SupplyStation system are plagued by more than 1,400 vulnerabilities that can be remotely exploited by malicious actors.

Researchers discovered that old versions of CareFusion’s Pyxis SupplyStation system are plagued by more than 1,400 vulnerabilities that can be remotely exploited by malicious actors.

CareFusion, a subsidiary of global medical technology firm BD (Becton, Dickinson and Company), specializes in solutions designed for reducing medication errors and prevention of healthcare-associated infections. The Pyxis SupplyStation product is a healthcare inventory management system that automatically dispenses medical supplies and documents usage in real-time.CareFusion Pyxis SupplyStation

Using automated software analysis tools, researchers Billy Rios and Mike Ahmadi discovered that legacy versions of Pyxis SupplyStation are plagued by 1,418 vulnerabilities. More precisely, the flaws exist in seven different third-party software packages used by the CareFusion product.

The list of third-party components plagued by security holes includes BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.

Of the total number of vulnerabilities, 715 are high severity issues (CVSS score between 7.0 and 10), 606 have been rated “medium severity” (CVSS score between 4.0 and 6.9), and the rest are low severity flaws.

While the vulnerabilities can be remotely exploited to compromise affected Pyxis SupplyStation products, ICS-CERT noted in an advisory that the system is designed to maintain critical functionality and provide access to medical supplies even if it’s rendered inoperable.

“These vulnerabilities have also been assessed for clinical impact by BD and DHS and represent little to no risk to patient safety,” BD wrote in its own advisory.

The affected product versions, all of which have reached end of life (EOL), are Pyxis SupplyStation 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 running on Windows Server 2003 and Windows XP. Versions 9.3, 9.4 and 10 operating on Windows Server 2008, Server 2012 and Windows 7 are not impacted by the security bugs.

The vendor has advised customers to upgrade legacy systems to the latest version of the platform. CareFusion customers who don’t want to upgrade the product can protect themselves against potential attacks by following a series of recommendations provided by the vendor.

Advertisement. Scroll to continue reading.

Mitigation advice includes isolating affected systems from the Internet, using VPNs where remote access is required, monitoring network traffic for suspicious activity, closing unused ports, and protecting devices with firewalls.

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.