1,400 Vulnerabilities To Remain Unpatched in Medical Supply System

More than 1,400 vulnerabilities exist in a widely used drug cabinet system, according to an advisory issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on Tuesday.

The problems exist in Pyxis SupplyStation, an automated medical supply cabinet manufactured by CareFusion. The systems, common in nursing setups in facilities across the healthcare sector, are used for dispensing medical supplies and keeping track of stock in real time.

Independent security researchers Billy Rios and Mike Ahmadi discovered the vulnerabilities after obtaining a SupplyStation through a third-party that resells decommissioned systems. After securing the system, the two used an automated software composition analysis tool to carry out static binary analysis against extracted firmware to dig up the bugs.

Specifically, the vulnerabilities exist in older versions of the systems, 8.0 through 9.3, which run on Microsoft Server 2003/XP.

The researchers said 1,418 different vulnerabilities alone exist in 8.1.3, a version of he system that hasn’t been updated since 2010. The bugs stretch across seven third-party vendor software packages and 86 different files, according to the ICS-CERT advisory.

It’s these out of date, third party software components, including BMC Appsight, SAP Crystal Reports, and Microsoft Windows XP, to name a few, that are the biggest culprits here, the researchers claim.

“It is important to note here that the issues are in the third-party packages, which we have been preaching about for the last several years,” Ahmadi wrote in a blog yesterday, “Up to 90 percent of the software used in development today is third-party.”

Since CareFusion considers these vulnerable versions end-of-life, it has no plans to patch them, but is offering anyone still running them, mitigations to reduce the risk of exploitation. The company is urging users to isolate the systems from the internet but if they have to connect them, it’s stressing they loop them through a VPN, monitor the network for any suspicious activity, and close any unused ports.

1,418 known vulnerabilities in the Pyxis devices: https://t.co/YaVRP8X97w

— Billy Rios (@XSSniper) March 29, 2016

Rios has identified bugs in the system, including one in 2014 that could’ve let an attacker remove supplies from the cabinet via remote compromise. It wasn’t until last spring, when Becton, Dickinson and Company, a New Jersey-based medical device company acquired CareFusion, that the company became more receptive when it comes to addressing vulnerabilities.

“I reported a number of issues affecting Carefusion products a few years ago and got very little traction,” Rios told Threatpost Wednesday, “Since they were acquired by BD, the response has been great.”

According to Ahmadi, Rob Suarez, who heads up product security for BD, didn’t deny the vulnerabilities existed when he and Rios first shared their findings. Ahmadi acknowledged that cooperation was key and that Suarez even offered up all six affected systems (Version 8.0, Version 8.1.3, Version 9.0, Version 9.1, Version 9.2, Version 9.3, all for Server 2003/XP) for use in the advisory.

Unlike the 2014 advisory however, the vendor has verified all of the vulnerabilities in this week’s advisory.

“The first advisory had no variant analysis and it seemed that Carefusion downplayed the issues. The second advisory lists all the affected versions and includes a confirmation from BD, which is a great step forward,” Rios said.

It was only a few years ago that Rios helped identify critical flaws in pumps manufactured by Hospira. The research eventually prompted the Food and Drug Administration to issue an alert urging facilities to transition to alternative infusion systems and discontinue use of the systems, marking the first time a safety notification citing cybersecurity concerns had been issued by the agency.