CareFusion Mitigates Vulnerabilities

Thursday, October 16, 2014 @ 05:10 PM gHale


CareFusion implemented additional controls to mitigate some of the authentication vulnerabilities in its Pyxis SupplyStation system, according to a report on ICS-CERT.

Some of the vulnerabilities, discovered by independent researcher Billy Rios, could end up exploited remotely. These vulnerabilities could suffer exploitation if the network and/or physical security of healthcare facilities using the SupplyStation system are also compromised.

RELATED STORIES
Siemens Heartbleed Update, Again
Unified Automation Heartbleed Vulnerability
Wonderware Patches Heartbleed Hole
Digi Mitigates Heartbleed Hole

Pyxis SupplyStation system 8.1 (hardware test tool software Versions 1.0.15 and prior) suffer from the issue.

Exploitation of these vulnerabilities may allow an attacker to remotely compromise the Pyxis SupplyStation system. An attacker who also has physical access to the SupplyStation system could remove medical supplies via such a remote compromise. The mission of the SupplyStation system is to maintain critical functionality and provide access to supplies in “fail-safe mode” in the event the cabinet ends up inoperable. Manual keys can end up used to access the cabinet if it is inoperable.

CareFusion is a U.S.-based company that maintains offices in 20 countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Canada, China, and Australia.

CareFusion’s Pyxis SupplyStation systems are automated supply cabinets used in hospitals to release medical supplies. CareFusion products end up deployed across the healthcare and public health sector.

The Pyxis SupplyStation system contains a hard-coded service password that grants administrator privileges by default. A remote attacker may be able to compromise the device if an attacker is able to defeat the network and/or physical security of the facility in which the SupplyStation system ends up deployed. Physical access to the device is a requirement to remove contents of the automated supply cabinet.

CVE-2014-5422 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.7.

The Pyxis SupplyStation system uses a hard-coded password for the database account that captures transaction events. The database processes run with privileged user rights on the automated supply cabinet by default. The database is accessible only to applications running locally within the cabinet. An attacker with local access may be able to completely compromise the automated supply cabinet, to include removing the contents of the automated supply cabinet.

CVE-2014-5421 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

The Pyxis SupplyStation system uses a hard-coded nonprivileged application account password that grants a user limited system access to application files that run the automated supply cabinet. The application account does have the functionality to manipulate the locking controls on the affected automated supply cabinet to remove the contents of the cabinet.

CVE-2014-5420 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.5.

The Pyxis SupplyStation system contains debugging files and other developer files that may divulge information about application source code that may expose system vulnerabilities. CareFusion has deleted the debugging files from all SupplyStation systems that have a current remote support service agreement.

CVE-2014-5423 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 1.7.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill level would be able to exploit these vulnerabilities.

CareFusion has released a new version of the hardware test tool software, Version 1.0.16, that addresses three of the reported vulnerabilities: Hard-coded service password, hard-coded account password, and insecure temporary files. CareFusion installed the new version on affected devices for customers with a current remote support service agreement. For additional information about the new version, click here to email questions.

Hardware test tool software, Version 1.0.16 implements two-factor authentication to mitigate the hard-coded service password and the hard-coded account password vulnerabilities by implementing an additional required login credential. The additional credential is a dynamic password that is specific to each user and subject to frequent change. CareFusion has also removed the unnecessary debugging files in the affected products.

CareFusion is not addressing the hard-coded password for the database in Version 1.0.16 because exploiting this vulnerability also requires coordinated local access to the SupplyStation system. CareFusion resolved to address the hard-coded password vulnerability for the database in later versions.



Leave a Reply

You must be logged in to post a comment.