Researchers have discovered over 1,400 vulnerabilities in the third-party software packages of an automated medical supply cabinet.
Mike Ahmadi of Synopsys explains that he and fellow security researcher Billy Rios found the software flaws while scanning a number of medical devices.
It wasn’t unusual for the duo to find ten or more vulnerabilities in the medical devices they scanned, but in one particular instance, Ahmadi and Rios uncovered 1,418 unique issues.
Sign up to our newsletterAn advisory issued by the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identifies the vulnerable product as the CareFusion Pyxis SupplyStation System, an automated medical supply cabinet which dispenses medical devices and documents usage in real-time.
Each system consists of separate units located throughout a medical center that are connected together by the Pyxis SupplyCenter server, which in turn links to a facility’s information systems.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system,” the advisory warns. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”
Six software versions of the CareFusion Pyxis SupplyStation are affected by the vulnerabilities. All susceptible versions are end-of-life and run on Windows Server 2003/XP.
Ahmadi and Rios ultimately located the security issues, more than half of which (715) received a CVSS base score of 7.0 – 10.0, in the third-party components for the system’s software. Those include BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9, and Symantec pcAnywhere 10.5.
Following their discovery, the two researchers reported their find to the Food and Drug Administration (FDA), which in turn sent the report to ICS-CERT.
Becton Dickinson (BD), the new owner of CareFusion, has since been alerted to the vulnerabilities and has cooperated with the researchers to provide information for the ICS-CERT advisory.
Additionally, BD has developed an upgrade option to help customers migrate to the latest Pyxis SupplyStation platform.
With the knowledge that some organizations might not be able to do so, it has come up with a number of compensating measures, including isolating affected products from the internet, using VPNs when remote access is required, and closing all unused ports.
If you are a customer whose Pyxis SupplyStation system is vulnerable, please upgrade now. If that is impossible, refer to BD’s alert for more defensive measures you can use to reduce the risk of exploitation of these vulnerabilities.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
This is where nurse jackie and the real world collide. is anyone awake when they're coding this stuff? and to code it for an embedded OS that's EOL was so long ago. Now i understand that business needs to make a profit for their wares, but really, where's the ethics and honour in doing business anymore? or did i just wake up and those qualities really never existed in the world as we think we know?
I mean comon this is like getting shot in the head with an arrow.
ZB
'or did i just wake up and those qualities really never existed in the world as we think we know?'
The latter – it never existed. At least not on a whole (it's part of mankind).
But to be fair to them (at least in part) it might be that they didn't write this software after the operating system reached its EOL.
But all these flaws? Inexcusable but unfortunately not uncommon.
I'm I mortified, yes, but surprised, no.
Thanks for the pun. And you're absolutely right: it is terrifying and yet it isn't surprising. It is also inexcusable, irresponsible and they are indirectly helping medical professionals defy 'do no harm'. Yet this certainly isn't the only example. There was the case where a medical device (can't recall which one but I think it was written about here – and I believe this device had multiple flaws also) not only had TELNET access (and although the standard was updated to allow encryption it is seldom supported in both server+client [both being necessary] so unencrypted) but worse is it didn't bother with authorisation: essentially it was password-less remote root access!