BD Discloses Viper, Pyxis Medical Device Vulnerabilities

March 04, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) issued two advisories concerning medical device vulnerabilities in some Becton, Dickinson and Company (BD) products. If exploited, the vulnerabilities, found in certain BD Viper LT and BD Pyxis products, may allow threat actors to view and manipulate sensitive data.  

BD Pyxis products are automated medication dispensing systems. The BD Pyxis vulnerability (CVE-2022-22766) impacts over 20 BD Pyxis devices and involves the use of hard-coded credentials that could allow attackers to access protected health information (PHI). BD manages the credentials, and they are not visible to customers.

The vulnerability has a score of 7.0 in terms of severity because threat actors may be able to “gain access to the underlying file system and exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information,” the advisory stated.

BD is actively strengthening credential management capabilities in the Pyxis devices. Additionally, the advisory recommended that healthcare organizations using BD Pyxis products limit physical access to the device and monitor and log all network traffic.

Users should also isolate impacted products behind firewalls and work with a BD support team to implement patches.

The BD Viper LT vulnerability (CVE-2022-22765) also involves the use of hard-coded credentials and could allow threat actors to access, modify, or delete PHI. The vulnerability has a base severity score of 8.0 and impacts BD Viper LT systems versions 2.0 and later.

“BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness. The fix is expected in an upcoming BD Viper LT system Version 4.80 software release,” the advisory stated.

BD also recommended that BD Viper LT users implement physical access controls and allow only authorized users to have access to the system. In addition, users should disconnect the BD Viper LT system from network access if possible. If it must be connected to a network, BD recommended that organizations follow industry-standard network security policies and procedures.

Organizations that observe suspicious activity should report findings to CISA. The vulnerabilities are not exploitable remotely and there have been no reports of successful exploits at the time of publication.