Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Bd Subscribe
Pyxis Anesthesia Station 4000 Subscribe
Pyxis Anesthesia Station 4000 Firmware Subscribe
Pyxis Anesthesia Station Es Subscribe
Pyxis Anesthesia Station Es Firmware Subscribe
Pyxis Cato Subscribe
Pyxis Cato Firmware Subscribe
Pyxis Ciisafe Subscribe
Pyxis Ciisafe Firmware Subscribe
Pyxis Inventory Connect Subscribe
Pyxis Inventory Connect Firmware Subscribe
Pyxis Iv Prep Subscribe
Pyxis Iv Prep Firmware Subscribe
Pyxis Jitrbud Subscribe
Pyxis Jitrbud Firmware Subscribe
Pyxis Kanban Rf Subscribe
Pyxis Kanban Rf Firmware Subscribe
Pyxis Logistics Subscribe
Pyxis Logistics Firmware Subscribe
Pyxis Med Link Family Subscribe
Pyxis Med Link Family Firmware Subscribe
Pyxis Medbank Subscribe
Pyxis Medbank Firmware Subscribe
Pyxis Medstation 4000 Subscribe
Pyxis Medstation 4000 Firmware Subscribe
Pyxis Medstation Es Subscribe
Pyxis Medstation Es Firmware Subscribe
Pyxis Medstation Es Server Subscribe
Pyxis Medstation Es Server Firmware Subscribe
Pyxis Parassist Subscribe
Pyxis Parassist Firmware Subscribe
Pyxis Pharmopack Subscribe
Pyxis Pharmopack Firmware Subscribe
Pyxis Procedurestation Subscribe
Pyxis Procedurestation Firmware Subscribe
Pyxis Rapid Rx Subscribe
Pyxis Rapid Rx Firmware Subscribe
Pyxis Stockstation Subscribe
Pyxis Stockstation Firmware Subscribe
Pyxis Supplycenter Subscribe
Pyxis Supplycenter Firmware Subscribe
Pyxis Supplyroller Subscribe
Pyxis Supplyroller Firmware Subscribe
Pyxis Supplystation Subscribe
Pyxis Supplystation Firmware Subscribe
Pyxis Track And Deliver Subscribe
Pyxis Track And Deliver Firmware Subscribe
Rowa Pouch Packaging Systems Subscribe
Rowa Pouch Packaging Systems Firmware Subscribe

Configuration 1 [-]

AND
cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:bd:pyxis_anesthesia_station_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_anesthesia_station_4000:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:bd:pyxis_cato_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_cato:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:bd:pyxis_ciisafe_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_ciisafe:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:bd:pyxis_inventory_connect_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_inventory_connect:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:bd:pyxis_iv_prep_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_iv_prep:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:bd:pyxis_jitrbud_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_jitrbud:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:bd:pyxis_kanban_rf_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_kanban_rf:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:bd:pyxis_logistics_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_logistics:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:bd:pyxis_med_link_family_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_med_link_family:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:bd:pyxis_medbank_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_medbank:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:bd:pyxis_medstation_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_medstation_4000:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:bd:pyxis_medstation_es_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:o:bd:pyxis_medstation_es_server_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_medstation_es_server:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND
cpe:2.3:o:bd:pyxis_parassist_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_parassist:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND
cpe:2.3:o:bd:pyxis_pharmopack_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_pharmopack:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND
cpe:2.3:o:bd:pyxis_procedurestation_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_procedurestation:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND
cpe:2.3:o:bd:pyxis_rapid_rx_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_rapid_rx:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND
cpe:2.3:o:bd:pyxis_stockstation_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_stockstation:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND
cpe:2.3:o:bd:pyxis_supplycenter_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_supplycenter:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND
cpe:2.3:o:bd:pyxis_supplyroller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_supplyroller:-:*:*:*:*:*:*:*

Configuration 22 [-]

AND
cpe:2.3:o:bd:pyxis_supplystation_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_supplystation:-:*:*:*:*:*:*:*

Configuration 23 [-]

AND
cpe:2.3:o:bd:pyxis_track_and_deliver_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:pyxis_track_and_deliver:-:*:*:*:*:*:*:*

Configuration 24 [-]

AND
cpe:2.3:o:bd:rowa_pouch_packaging_systems_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bd:rowa_pouch_packaging_systems:-:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-27909 Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
Fixes

Solution

No solution given by the vendor.

Workaround

Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts.

References
Link Providers
https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials cve-icon cve-icon
https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01 cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: BD

Published:

Updated: 2024-09-16T19:15:26.998Z

Reserved: 2022-01-07T00:00:00

Link: CVE-2022-22766

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-02-11T19:15:08.850

Modified: 2024-11-21T06:47:24.280

Link: CVE-2022-22766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses