There are vulnerability reports, and there are Vulnerability Reports. The latest and perhaps best entry in the latter category is a disclosure of more than 1,400 vulnerabilities in a variety of medication-supply devices manufactured by CareFusion.
The affected devices are CareFusion’s Pyxis SupplyStation systems, automated cabinets that allow medical personnel to dispense medication and monitor dosages. The devices are used in hospitals and other medical institutions and typically are networked together. Security researchers Billy Rios and Mike Ahmadi discovered the vulnerabilities and reported them through the ICS-CERT. The flaws affect several versions of the Pyxis SupplyStation devices, none of which are supported any longer.
“The affected products, Pyxis SupplyStation systems, are automated supply cabinets used to dispense medical supplies that can document usage in real-time. The Pyxis SupplyStation systems include automated devices that may be deployed using a variety of functional configurations. The Pyxis SupplyStation systems have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility’s existing information systems,” the ICS-CERT advisory says.
Rios and Ahmadi tested several different versions of the software running on the SupplyStation devices and found 1,418 separate vulnerabilities in version 8.1.3 of the software.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system. The SupplyStation system is designed to maintain critical functionality and provide access to supplies in “fail-safe mode” in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable,” the advisory says.
There are publicly available exploits for these vulnerabilities, and because the affected products are no longer supported, CareFusion is not planning to release patches for them.
“CareFusion has confirmed that the identified vulnerabilities are present in the Pyxis SupplyStation systems that operate on Server 2003/Windows XP, which are at end-of-life, are no longer supported. As a result of the identified vulnerabilities, CareFusion has started reissuing targeted customer communications, advising customers of end-of-life versions with an upgrade path. For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation,” the advisory says.