The U.S. Dept. of Homeland Security (DHS) issued a medical advisory warning for a potential software vulnerability in the Pyxis MedStation and Pyxis Anesthesia (PAS) ES system made by Becton Dickinson (NYSE:BDX).
According to the DHS warning, Becton Dickinson reported the vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA). Affected models of the drug-dispensing devices include the Pyxis MedStation ES v1.6.1 and the Pyxis Anesthesia ES system v1.6.1.
The affected devices use a method of software called “kiosk mode” that is vulnerable to local breakouts, which could allow an attacker with physical access to bypass the kiosk mode and view and/or modify sensitive data. The vulnerability is not exploitable remotely and there are no known public exploits that specifically target it.
BD recommended that users limit physical access of the affected products to only authorized users, isolate impacted systems and only connect them to trusted systems and to monitor and investigate unplanned reboots of the systems using tools provided by IT departments.
The company is currently deploying a security update designed to strengthen kiosk mode to limit methods of kiosk escape in the affected products as well, according to the DHS notice.