CareFusion Pyxis SupplyStation System Vulnerabilities

Low RiskICS-CERT ICSA-14-288-01Jul 18, 2014

Summary

CareFusion Pyxis SupplyStation system version 8.1 hardware test tool software (<=1.0.15) contains multiple vulnerabilities related to credential storage and information disclosure. The test tool stores sensitive credentials in cleartext or easily reversible form and may leak sensitive information through error messages or logs. These vulnerabilities could allow unauthorized access to the SupplyStation system and connected pharmacy management functions. No vendor patch is available for this product.

What this means

What could happen

An attacker with access to the Pyxis SupplyStation hardware test tool could extract sensitive credentials and information from the system, potentially gaining unauthorized access to supply chain management functions.

Who's at risk

Healthcare facilities using CareFusion Pyxis SupplyStation systems for medication and supply dispensing. This affects hospital pharmacies, operating rooms, and other clinical departments that depend on the Pyxis system for inventory management and supply control.

How it could be exploited

An attacker would need to access the hardware test tool software (version 1.0.15 or earlier) running on the SupplyStation system. The tool stores credentials in cleartext or easily reversible form (CWE-798) and may disclose sensitive information through error messages or logs (CWE-215). Once accessed, the attacker could use extracted credentials to authenticate to the SupplyStation system or connected pharmacy management systems.

Prerequisites

Physical or network access to the SupplyStation hardware test tool
The test tool software must be installed (version 1.0.15 or earlier)
Access to the system where the tool is running

no patch availablehardcoded or weak credentials (CWE-798)information disclosure vulnerability (CWE-215)affects critical supply chain control in healthcare settings

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Pyxis SupplyStation system 8.1 (hardware test tool software): <=1.0.15≤ 1.0.15No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImmediately disable or isolate the Pyxis SupplyStation hardware test tool from the network if it is not actively in use for maintenance

HARDENINGRestrict physical and network access to any system running the hardware test tool to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGConduct a credential audit: change all passwords and access credentials for systems that may have been accessed or tested with the hardware tool

Mitigations - no patch available

0/1

Pyxis SupplyStation system 8.1 (hardware test tool software): <=1.0.15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor system logs and access controls on the SupplyStation for unauthorized credential use or configuration changes

CVEs (4)

CVE-2014-5422 CVE-2014-5421 CVE-2014-5420 CVE-2014-5423

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2019b376-2508-4f64-8cf9-e693ac1d302c