The vulnerabilities can be exploited remotely by attackers with low
skills, and exploits that target these vulnerabilities are publicly
available, ICS-CERT has warned in an advisory.
The worst part of it is that the affected versions of the software
are at end‑of-life, and won’t be receiving a patch even though they are
widely used.
What is the Pyxis SupplyStation system?
Developed by CareFusion, which was recently acquired by Becton,
Dickinson and Company (BD), the Pyxis SupplyStation system dispenses
medical supplies and documents usage in real-time.
“The Pyxis SupplyStation systems include automated devices that may
be deployed using a variety of functional configurations. [They] have an
architecture that typically includes a network of units, or
workstations, located in various patient care areas throughout a
facility and managed by the Pyxis SupplyCenter server, which links to
the facility’s existing information systems,” ICS-CERT explained.
“Exploitation of these vulnerabilities may allow a remote attacker to
compromise the Pyxis SupplyStation system. The SupplyStation system is
designed to maintain critical functionality and provide access to
supplies in ‘fail-safe mode’ in the event that the cabinet is rendered
inoperable. Manual keys can be used to access the cabinet if it is
rendered inoperable.”
Which versions are vulnerable?
Versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 that operate on Windows
Server 2003/XP of the Pyxis SupplyStation system software are affected.
Versions 9.3, 9.4, and 10.0 that operate on Server 2008/Server
2012/Windows 7 do not sport these vulnerabilities.
The discovery
Independent researchers Billy Rios and Mike Ahmadi obtained a Pyxis
SupplyStation through a third-party that resells decommissioned systems
from healthcare systems, and used an automated software analysis tool to
ferret out the vulnerabilities.
The flaws are present in seven different third-party vendor software
packages bundled in the vulnerable system, including MS Windows XP,
Symantec Antivirus 9, and Symantec pcAnywhere 10.5.
715 of the found vulnerabilities are critical or high-severity.
What’s to be done about it?
CareFusion has been involved in the research, and has confirmed the
existence of these flaws. Still, no updates will be offered for these
end-of-life systems.
Instead, the company has started contacting customers that bought the
automated supply cabinets, advising them to upgrade to newer versions
and explaining how to do it.
But, aware that’s not always possible, the company has also issued
recommendations on how to minimize the risk of those systems being
compromised – things like monitoring network traffic attempting to reach
the affected products for suspicious activity, and isolating them from
the business network, untrusted systems and the Internet, but also
updating the software packages included in the system software (where
possible).
More recommendations can be had from the ICS-CERT advisory.
Healthcare and security
It’s true that cyber attackers are mostly after healthcare data,
as it usually contains the perfect bundle of individuals’ personal
information, credit information, and protected health information.
It’s also true that healthcare organizations need a healthy dose of investment in technologies in order to prevent successful attacks.
It’s understandable that healthcare organizations are currently more
concentrated on fending off ransomware, as that will impact their
functioning at all levels.
But with more and more researchers concentrating on finding vulnerabilities in medical devices and systems (systems found exposed online, sporting hard-coded passwords, etc.), it’s becoming obvious that cyber attacks can – and inevitably some day will – result in physical harm.
The healthcare industry – from manufacturers to practitioners – must start considering system and data security important