|The Pyxis SupplyStation--Courtesy of CareFusion|
The U.S. Department of Homeland Security (DHS) issued a notice last week that a Becton Dickinson supply management system has security vulnerabilities that could be exploited remotely. The system, a Pyxis SupplyStation, was tested by independent researchers. It is designed to release medical supplies to authorized personal via fingerprint identification.
The agency said it would not provide a patch to address the issue, since the affected versions are near the end of their active life. The vulnerabilities were found by independent researchers Billy Rios and Mike Ahmadi in collaboration with CareFusion, which was acquired by BD ($BDX) last year in a $12.2 billion deal.
The security issues were identified on a system that was bought via a third-party retailer that sells decommissioned systems. They were found using an automated software composition analysis tool. CareFusion has offered measures to reduce the risk of exploitation of the affected software versions for the Pyxis SupplyStation systems, which are listed here.
In total, more than 1,400 vulnerabilities were identified in 7 different third-party vendor software packages across 86 different files. The affected systems are no longer supported by CareFusion.
CareFusion is advising that affected customers should isolate any affected Pyxis SupplyStation systems from the Internet, require use of a virtual private network when remote access is necessary and monitor all network traffic attempting to reach the affected products.
"Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system," summed up DHS. "The SupplyStation system is designed to maintain critical functionality and provide access to supplies in 'fail-safe mode' in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable."
- here is the DHS alert