Government warns on cybersecurity issues with BD’s Pyxis, Synapsys systems

Government warns on cybersecurity issues with BD’s Pyxis, Synapsys systems


BD Becton Dickinson

The U.S. Cybersecurity and Infrastructure Agency (CISA) today issued warnings about two BD products (NYSE: BDX).

Vulnerabilities with BD Pyxis Automated Drug Dispensing System and BD Synapsys Microbiology Computer Software were voluntarily reported by BD based in Franklin Lakes, New Jersey, through the CISA Coordinated Vulnerability Outreach Program.

BD Pyxis vulnerability is tagged as “Password aging not used”, meaning that successful exploitation of the vulnerability could allow an attacker to access electronic protected health information (ePHI) or other sensitive information, according to the CISA notice. CISA determined that the vulnerability could be exploited remotely and has a low attack complexity.

Specific BD Pyxis products were installed with default credentials and can still work with these credentials, creating potential scenarios where these products were installed with the same local operating system default credentials or domain-linked server credentials that can be shared between product types. that is, exploitation could give attackers privileged access to the underlying file system and exploit or gain access to ePHI or other sensitive information.

BD is currently enhancing credential management capabilities for Pyxis products, and service staff are working with users whose domain-linked server credentials require updates. The company is also testing a credential management solution to enable enhanced authentication management practices with local operating system-specific credentials. Changes required for installation, upgrade, or applications are being evaluated as fixes.

The company also recommends that users of Pyxis products that use default credentials restrict physical access to authorized personnel only, control the management of system passwords provided to authorized users, monitor, and record network traffic for suspicious activity. isolate affected products in a secure virtual area network (VLAN) network or behind restricted access firewalls.

According to a separate CISA warning, the BD Synapsys platform (versions 4.20, 4.20 SR1 and 4.30) has low attack complexity due to a vulnerability with “Insufficient session expiration”.

Successful use of the Synapsys system could allow an attacker to access, modify, or delete sensitive information, including ePHI, protected health information (PHI), and personally identifiable information (PII). An unauthorized breach of a Synapsys workstation would be insignificant due to the sequence of events that must occur in a specific order, but the correct operation could lead to a modification of ePHI, PHI, or PII. which could lead to delayed or incorrect treatment.

BD Synapsys v4.20 SR2 will be released in June 2022 and will fix the vulnerability, according to the CISA warning, while users receiving Synapsys v4.30 will be able to upgrade to v5.10, which the company expects to be available in August 2022..

The company recommends that users working with affected Synapsys products set the idle session timeout to match the session expiration timeout, making sure that the physical access controls are in place and only authorized end users have access to workstations, place a reminder on each computer for users to save. they all work, log out, or shut down their workstation when they leave, and ensure that industry-standard network security policies and procedures are followed.



Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.