CVE-2022-22767

Summary

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

Affected Software

VendorProductVersion RangeStatus
Becton Dickinson (BD)BD Pyxis™ Anesthesia ES StationAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ CIISafeAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ LogisticsAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ MedBankAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ MedStation™ 4000All versionsaffected
Becton Dickinson (BD)BD Pyxis™ MedStation™ ESAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ MedStation™ ES ServerAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ ParAssistAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ Rapid RxAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ StockStationAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ SupplyCenterAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ SupplyRollerAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ SupplyStation™All versionsaffected
Becton Dickinson (BD)BD Pyxis™ SupplyStation™ ECAll versionsaffected
Becton Dickinson (BD)BD Pyxis™ SupplyStation™ RF auxiliaryAll versionsaffected
Becton Dickinson (BD)BD Rowa™ Pouch Packaging SystemsAll versionsaffected

Weaknesses

  • CWE-262: CWE-262: Not Using Password Aging

Workarounds

Limit physical access to only authorized personnel. Tightly control management of system passwords provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

ADP Enrichment

CVE Program Container

Additional References

References