Updated to correctly label the Pyxis as a medical supply cabinet, as it was originally mislabeled as a drug dispensing cabinet.
The U.S. Homeland Security Dept. warned about more than 1,400 cybersecurity flaws found in 3rd-party software used with the Pyxis SupplyStation automated medical supply cabinet made by Becton Dickinson & Co. (NYSE:BDX) subsidiary CareFusion.
The flaws, uncovered by independent researchers Billy Rios and Mike Ahmadi in collaboration with CareFusion, could be exploited remotely and are publicly available, according to the national security agency’s Industrial Control Systems Cyber Emergency Response Team.
The vulnerabilities, found in 7 3rd-party software packs, are included with Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system,” according to ICS-CERT. “As a result of the identified vulnerabilities, CareFusion has started reissuing targeted customer communications, advising customers of end-of-life versions with an upgrade path. For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation.”
Customers who are still using the outdated 3rd-party software should isolate their Pyxis SupplyStation systems from the Internet or use a virtual private network to connect the devices.