OTPulse
FeedAboutContact

BD Pyxis (Update A)

Monitor7.6ICS-CERT ICSMA-19-248-01Sep 5, 2019
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A session management vulnerability in BD Pyxis ES and Pyxis Enterprise Server allows a user with expired Active Directory credentials to maintain access to medication dispensing cabinets if the devices are connected to the hospital domain. The vulnerability occurs because the systems do not properly validate credential expiration status when authenticating against Active Directory, allowing attackers with stale credentials to regain access with previously granted privileges. This could enable unauthorized access to patient data and medication inventory. The issue primarily affects organizations using non-recommended AD domain integration on Pyxis devices.

What this means
What could happen
An attacker with a previously valid hospital network account could regain access to a Pyxis medication dispensing cabinet even after account expiration, potentially gaining unauthorized access to patient data and medications.
Who's at risk
Healthcare facilities using BD Pyxis medication dispensing cabinets integrated with Active Directory domain authentication are affected. This particularly impacts hospitals that have connected Pyxis ES or Pyxis Enterprise Server systems to their hospital domain network for centralized credential management.
How it could be exploited
An attacker with expired Active Directory credentials connected to the hospital domain could authenticate to a Pyxis ES or Enterprise Server system that is also joined to the domain. The system fails to properly validate credential expiration, allowing the attacker to use stale credentials to access the device with the same privileges the original user had.
Prerequisites
  • Active Directory integration enabled on Pyxis device
  • Pyxis device connected to hospital domain network
  • Access to a previously valid but now-expired hospital network user account
  • Knowledge of the expired account credentials
requires network access to hospital domainrequires valid user credentials (albeit expired)affects medication dispensing systemsno vendor patch availablerequires specific configuration (AD integration and domain connection)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Pyxis ES≥ 1.3.4 | < 1.5.3No fix (EOL)
Pyxis Enterprise Server with Windows Server:≥ 4.4 | ≤ 4.12No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGDo not rely on AD user account expiration dates as a security control; actively remove user accounts from AD when employees depart
HARDENINGRestrict network access to Pyxis devices to authorized clinical staff only and enforce least privilege access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGUpgrade Microsoft Active Directory Domain Controllers to functional level 2012 or higher
HARDENINGPlace Pyxis medication dispensing cabinets behind firewalls and on segmented networks isolated from general hospital IT infrastructure
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Pyxis ES, Pyxis Enterprise Server with Windows Server:. Apply the following compensating controls:
HARDENINGDo not connect Pyxis ES medication dispensing cabinets to the hospital domain; place them on a separate, isolated network segment
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/885b3701-5e04-4356-9343-e9e0ad4277c7
BD Pyxis (Update A) | CVSS 7.6 - OTPulse