CVE-2022-22766

Summary

Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.

Affected Software

VendorProductVersion RangeStatus
Becton Dickinson (BD)BD Pyxis Anesthesia Station ESAllaffected
Becton Dickinson (BD)BD Pyxis Anesthesia Station 4000Allaffected
Becton Dickinson (BD)BD Pyxis CATOAllaffected
Becton Dickinson (BD)BD Pyxis CIISafeAllaffected
Becton Dickinson (BD)BD Pyxis Inventory ConnectAllaffected
Becton Dickinson (BD)BD Pyxis IV PrepAllaffected
Becton Dickinson (BD)BD Pyxis JITrBUDAllaffected
Becton Dickinson (BD)BD Pyxis KanBan RFAllaffected
Becton Dickinson (BD)BD Pyxis LogisticsAllaffected
Becton Dickinson (BD)BD Pyxis Med Link FamilyAllaffected
Becton Dickinson (BD)BD Pyxis MedBankAllaffected
Becton Dickinson (BD)BD Pyxis MedStation 4000Allaffected
Becton Dickinson (BD)BD Pyxis MedStation ESAllaffected
Becton Dickinson (BD)BD Pyxis MedStation ES ServerAllaffected
Becton Dickinson (BD)BD Pyxis ParAssistAllaffected
Becton Dickinson (BD)BD Pyxis PharmoPackAllaffected
Becton Dickinson (BD)BD Pyxis ProcedureStation (including EC)Allaffected
Becton Dickinson (BD)BD Pyxis Rapid RxAllaffected
Becton Dickinson (BD)BD Pyxis StockStationAllaffected
Becton Dickinson (BD)BD Pyxis SupplyCenterAllaffected
Becton Dickinson (BD)BD Pyxis SupplyRollerAllaffected
Becton Dickinson (BD)BD Pyxis SupplyStation (including RF, EC, CP)Allaffected
Becton Dickinson (BD)BD Pyxis Track and DeliverAllaffected
Becton Dickinson (BD)BD Rowa Pouch Packaging SystemsAllaffected

Weaknesses

  • CWE-798: CWE-798 Use of Hard-coded Credentials

Workarounds

Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts.

ADP Enrichment

CVE Program Container

Additional References

References