BD Pyxis (Update A)

MonitorCVSS 7.6ICS-CERT ICSMA-19-248-01Sep 5, 2019

BDHealthcare

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A session management vulnerability in BD Pyxis ES and Pyxis Enterprise Server allows a user with expired Active Directory credentials to maintain access to medication dispensing cabinets if the devices are connected to the hospital domain. The vulnerability occurs because the systems do not properly validate credential expiration status when authenticating against Active Directory, allowing attackers with stale credentials to regain access with previously granted privileges. This could enable unauthorized access to patient data and medication inventory. The issue primarily affects organizations using non-recommended AD domain integration on Pyxis devices.

What this means

What could happen

An attacker with a previously valid hospital network account could regain access to a Pyxis medication dispensing cabinet even after account expiration, potentially gaining unauthorized access to patient data and medications.

Who's at risk

Healthcare facilities using BD Pyxis medication dispensing cabinets integrated with Active Directory domain authentication are affected. This particularly impacts hospitals that have connected Pyxis ES or Pyxis Enterprise Server systems to their hospital domain network for centralized credential management.

How it could be exploited

An attacker with expired Active Directory credentials connected to the hospital domain could authenticate to a Pyxis ES or Enterprise Server system that is also joined to the domain. The system fails to properly validate credential expiration, allowing the attacker to use stale credentials to access the device with the same privileges the original user had.

Prerequisites

Active Directory integration enabled on Pyxis device
Pyxis device connected to hospital domain network
Access to a previously valid but now-expired hospital network user account
Knowledge of the expired account credentials

requires network access to hospital domainrequires valid user credentials (albeit expired)affects medication dispensing systemsno vendor patch availablerequires specific configuration (AD integration and domain connection)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Pyxis ES≥ 1.3.4 | < 1.5.3No fix (EOL)

Pyxis Enterprise Server with Windows Server:≥ 4.4 | ≤ 4.12No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDo not rely on AD user account expiration dates as a security control; actively remove user accounts from AD when employees depart

HARDENINGRestrict network access to Pyxis devices to authorized clinical staff only and enforce least privilege access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGUpgrade Microsoft Active Directory Domain Controllers to functional level 2012 or higher

HARDENINGPlace Pyxis medication dispensing cabinets behind firewalls and on segmented networks isolated from general hospital IT infrastructure

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Pyxis ES, Pyxis Enterprise Server with Windows Server:. Apply the following compensating controls:

HARDENINGDo not connect Pyxis ES medication dispensing cabinets to the hospital domain; place them on a separate, isolated network segment

CVEs (1)

CVE-2019-13517

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/885b3701-5e04-4356-9343-e9e0ad4277c7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.