CVE-2022-22766

BD Pyxis Products - Hardcoded Credentials

Description

Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.

Remediation

Workaround:

Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts.

References

Link	Tags
https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials	vendor advisory
https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2022-22766?: CVE-2022-22766 has been scored as a high severity vulnerability.
How to fix CVE-2022-22766?: As a workaround for remediating CVE-2022-22766: Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts.
Is CVE-2022-22766 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-22766 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-22766?: CVE-2022-22766 affects Becton Dickinson (BD) BD Pyxis Anesthesia Station ES, Becton Dickinson (BD) BD Pyxis Anesthesia Station 4000, Becton Dickinson (BD) BD Pyxis CATO, Becton Dickinson (BD) BD Pyxis CIISafe, Becton Dickinson (BD) BD Pyxis Inventory Connect, Becton Dickinson (BD) BD Pyxis IV Prep, Becton Dickinson (BD) BD Pyxis JITrBUD, Becton Dickinson (BD) BD Pyxis KanBan RF, Becton Dickinson (BD) BD Pyxis Logistics, Becton Dickinson (BD) BD Pyxis Med Link Family, Becton Dickinson (BD) BD Pyxis MedBank, Becton Dickinson (BD) BD Pyxis MedStation 4000, Becton Dickinson (BD) BD Pyxis MedStation ES, Becton Dickinson (BD) BD Pyxis MedStation ES Server, Becton Dickinson (BD) BD Pyxis ParAssist, Becton Dickinson (BD) BD Pyxis PharmoPack, Becton Dickinson (BD) BD Pyxis ProcedureStation (including EC), Becton Dickinson (BD) BD Pyxis Rapid Rx, Becton Dickinson (BD) BD Pyxis StockStation, Becton Dickinson (BD) BD Pyxis SupplyCenter, Becton Dickinson (BD) BD Pyxis SupplyRoller, Becton Dickinson (BD) BD Pyxis SupplyStation (including RF, EC, CP), Becton Dickinson (BD) BD Pyxis Track and Deliver, Becton Dickinson (BD) BD Rowa Pouch Packaging Systems.

Description

Remediation

Category

CWE-798 – Use of Hard-coded Credentials

References

Frequently Asked Questions