Vulnerabilites related to bd - pyxis_medstation_4000_firmware
Vulnerability from fkie_nvd
Published
2022-02-11 19:15
Modified
2024-11-21 06:47
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cybersecurity@bd.com | https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials | Vendor Advisory | |
| cybersecurity@bd.com | https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01 | Third Party Advisory, US Government Resource |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EBE68344-E519-4DEF-A91F-4094E0D88353",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*",
"matchCriteriaId": "32F3ACBB-87CA-43D2-8E32-2656BDCFEB8D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_anesthesia_station_4000_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97F86D1E-67B1-4C44-8F19-27271D4FF80D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_anesthesia_station_4000:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5261A6F0-0C16-48A4-AC8E-C56616C3EB69",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_cato_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF216527-C831-4DDA-B06D-9EC32DC4E9D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_cato:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0DDB0372-AC19-4D48-892D-B188900B4D05",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_ciisafe_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3974AAD5-FDF0-49FD-AC76-77A0318A6A8E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_ciisafe:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0488CEEA-9504-4619-80F2-106AF8A3E4A1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_inventory_connect_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E01B870-A465-4BB7-A8CC-D3A25C1C307A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_inventory_connect:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFB422BA-952D-4500-AF88-53F2CD55971A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_iv_prep_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99594833-0248-4484-9A80-C19D80DF5B05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_iv_prep:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F467ED-38A7-40C2-A5B7-5437780A58D0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_jitrbud_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C4E95E6-96B2-4A7D-A4F4-ECB6617762F9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_jitrbud:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07D68CF9-39A2-4CCA-90A1-C48EA64D292B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_kanban_rf_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F0A5299E-F3AC-4813-8800-B8C8EDBC1624",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_kanban_rf:-:*:*:*:*:*:*:*",
"matchCriteriaId": "000D25AC-F562-4E8D-B9E9-F82B9751C9C5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_logistics_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "065D8497-C15B-4C16-B4F2-8BC47B556079",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_logistics:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E0197950-E007-4748-89B5-06A1ABA06E39",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_med_link_family_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7B87C798-EC9F-4EA0-83AA-0CFBBC97FA01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_med_link_family:-:*:*:*:*:*:*:*",
"matchCriteriaId": "25BD8F0D-A061-45E8-9388-0FFD8C62FDA8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medbank_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B5FEF7B-2C20-4D41-BEE7-3E07B7E7C69C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medbank:-:*:*:*:*:*:*:*",
"matchCriteriaId": "246A5F4B-B994-4FC4-A696-1E67E2F9971B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_4000_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B064580E-A862-4F20-A767-CF8CFC5972D4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_4000:-:*:*:*:*:*:*:*",
"matchCriteriaId": "65167BF4-9505-4C1A-8E48-B772A74271F8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_es_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A426FE1F-6BC9-4290-9940-4D2209850412",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB63AC0-5A51-494D-BDFA-BFD4B66A44D9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_es_server_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA6158B-0D28-4CF6-8150-704605860F23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_es_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "042CAB2C-F252-4769-B38B-4DEC2C8D109A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_parassist_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6D84B80-87CB-4ADA-9937-6F5981593AE2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_parassist:-:*:*:*:*:*:*:*",
"matchCriteriaId": "192F2049-9575-48C2-9EF5-5CB8A2C0C65B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_pharmopack_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F938C6B4-0990-44F9-8B23-22DE96E4D303",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_pharmopack:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1AF993B-08A3-42BE-B037-20137BFA3BB4",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_procedurestation_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F56324F6-B50E-4DF3-B90B-AD6A1FB4CC2E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_procedurestation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3F34CF1E-C07A-4AE9-AD7A-EDD060EE64D2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_rapid_rx_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "581094C6-A881-4A94-9BF6-8535424A374B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_rapid_rx:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6C17CA-3731-4214-9388-BEBFCF2509D0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_stockstation_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F44FA73D-106A-4466-8742-BC224CED9AD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_stockstation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2699D945-7724-4CDA-9542-A9954D0B0BF2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplycenter_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB1D7FBA-EDD7-469E-B144-6BD4B7373F22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplycenter:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D619B7DE-C9A9-45FA-8A7F-DEED2838AD18",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplyroller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF17CD6-4F0B-4FAB-9CCD-8223C4FE4D3E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplyroller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "56199C09-6164-4E73-B868-C3FE5BC74C40",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplystation_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D153724-31AE-4474-8F2E-9B5D7C2D7CE9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplystation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "84A0B681-5D18-4D0F-B485-A90348AFD321",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_track_and_deliver_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "119BFE9F-7FEA-454B-B373-298673069938",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_track_and_deliver:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7B02A859-9DEE-40BF-822B-BDB2AFEAB886",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:rowa_pouch_packaging_systems_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3C472FE3-C043-456A-827C-F9E2ED704A52",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:rowa_pouch_packaging_systems:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C2F707E6-6F04-45E5-BA9C-0109A34AC160",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
},
{
"lang": "es",
"value": "Unas credenciales embebidas son usadas en productos espec\u00edficos de BD Pyxis. Si es explotado, los actores de la amenaza pueden ser capaces de conseguir acceso al sistema de archivos subyacente y podr\u00edan potencialmente explotar los archivos de la aplicaci\u00f3n para obtener informaci\u00f3n que podr\u00eda ser usada para descifrar las credenciales de la aplicaci\u00f3n o para conseguir acceso a la informaci\u00f3n de salud electr\u00f3nica protegida (ePHI) u otra informaci\u00f3n confidencial"
}
],
"id": "CVE-2022-22766",
"lastModified": "2024-11-21T06:47:24.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@bd.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T19:15:08.850",
"references": [
{
"source": "cybersecurity@bd.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"source": "cybersecurity@bd.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"sourceIdentifier": "cybersecurity@bd.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "cybersecurity@bd.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 14:15
Modified
2024-11-21 06:47
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "095129F1-9417-42F7-A797-22F62BA53945",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*",
"matchCriteriaId": "32F3ACBB-87CA-43D2-8E32-2656BDCFEB8D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_ciisafe_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FB6CDD66-A0A2-4939-960F-8DE9DF2BF8A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_ciisafe:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0488CEEA-9504-4619-80F2-106AF8A3E4A1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_logistics_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7FFB91-0ACC-43DC-AFAA-DBBD1E10C21C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_logistics:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E0197950-E007-4748-89B5-06A1ABA06E39",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medbank_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5E62C14F-58E7-4A40-880C-1A6E848122B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medbank:-:*:*:*:*:*:*:*",
"matchCriteriaId": "246A5F4B-B994-4FC4-A696-1E67E2F9971B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_4000_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FEDEB528-0AEE-40B3-8F89-69118CDB6FF1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_4000:-:*:*:*:*:*:*:*",
"matchCriteriaId": "65167BF4-9505-4C1A-8E48-B772A74271F8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_es_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AF6F4AA1-45B9-4DCB-BFA4-F6A6CA71508E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB63AC0-5A51-494D-BDFA-BFD4B66A44D9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_medstation_es_server_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B42C105A-FADE-4B60-ABFE-51298098EA4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_medstation_es_server:-:*:*:*:*:*:*:*",
"matchCriteriaId": "042CAB2C-F252-4769-B38B-4DEC2C8D109A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_parassist_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3BDB2B7D-A212-4F34-AC20-5B6B79776707",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_parassist:-:*:*:*:*:*:*:*",
"matchCriteriaId": "192F2049-9575-48C2-9EF5-5CB8A2C0C65B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_rapid_rx_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C9F9BE7-A22F-40C7-B88B-10FB4D7D390F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_rapid_rx:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6C17CA-3731-4214-9388-BEBFCF2509D0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_stockstation_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "41030912-5C48-424A-83C1-516D82CCF762",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_stockstation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2699D945-7724-4CDA-9542-A9954D0B0BF2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplycenter_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1063ED97-BFB0-437D-BE94-ACA16FA1927B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplycenter:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D619B7DE-C9A9-45FA-8A7F-DEED2838AD18",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplyroller_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3E9D58D9-2E46-49BD-B0F6-7A44236B639C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplyroller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "56199C09-6164-4E73-B868-C3FE5BC74C40",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplystation_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF6ACF1A-D2A7-4EB2-9098-045E66B72AA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplystation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "84A0B681-5D18-4D0F-B485-A90348AFD321",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplystation_ec_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "27CB7296-8A67-43A7-AC8C-09250093D500",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplystation_ec:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3EB2BE62-AFAC-443C-ABEB-F61D798B246B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:pyxis_supplystation_rf_auxiliary_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5FC7D3CE-4742-40AD-93F0-C26488E73840",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:pyxis_supplystation_rf_auxiliary:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5584CAB1-0A32-4358-8CD1-F1F9AF332B0F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bd:rowa_pouch_packaging_systems_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "150594A6-6426-4A44-A1C4-40CEE69614C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bd:rowa_pouch_packaging_systems:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C2F707E6-6F04-45E5-BA9C-0109A34AC160",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
},
{
"lang": "es",
"value": "Unos productos espec\u00edficos de BD Pyxis\u2122 se instalaron con credenciales por defecto y actualmente pueden seguir funcionando con estas credenciales. Puede haber situaciones en las que los productos BD Pyxis\u2122 sean instalados con las mismas credenciales por defecto del sistema operativo local o con las credenciales de los servidores unidos a un dominio que pueden ser compartidas entre los distintos tipos de productos. Si es explotado, los actores de la amenaza pueden ser capaces de conseguir acceso privilegiado al sistema de archivos subyacente y podr\u00edan potencialmente explotar u conseguir acceso a ePHI u otra informaci\u00f3n confidencial"
}
],
"id": "CVE-2022-22767",
"lastModified": "2024-11-21T06:47:24.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cybersecurity@bd.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T14:15:35.843",
"references": [
{
"source": "cybersecurity@bd.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"sourceIdentifier": "cybersecurity@bd.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-262"
}
],
"source": "cybersecurity@bd.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-22767 (GCVE-0-2022-22767)
Vulnerability from cvelistv5
Published
2022-06-01 16:35
Modified
2024-09-16 16:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-262 - Not Using Password Aging
Summary
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis\u2122 Anesthesia ES Station",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Rowa\u2122 Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"datePublic": "2022-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-262",
"description": "CWE-262: Not Using Password Aging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:35:38",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"solutions": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis\u2122 Products \u2013 Default Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-22767",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis\u2122 Products \u2013 Default Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis\u2122 Anesthesia ES Station",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 CIISafe",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Logistics",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedBank",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 4000",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 ParAssist",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 StockStation",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Rowa\u2122 Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-262: Not Using Password Aging"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22767",
"datePublished": "2022-06-01T16:35:38.991672Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T16:42:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22766 (GCVE-0-2022-22766)
Vulnerability from cvelistv5
Published
2022-02-11 18:12
Modified
2024-09-16 19:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Becton Dickinson (BD) | BD Pyxis Anesthesia Station ES |
Version: All |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis Anesthesia Station ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Anesthesia Station 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CATO",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Inventory Connect",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis IV Prep",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis JITrBUD",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis KanBan RF",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Med Link Family",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis PharmoPack",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ProcedureStation (including EC)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyStation (including RF, EC, CP)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Track and Deliver",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Rowa Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"datePublic": "2022-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:28:22",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis Products - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-02-12T04:00:00.000Z",
"ID": "CVE-2022-22766",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis Products - Hardcoded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis Anesthesia Station ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Anesthesia Station 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CATO",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CIISafe",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Inventory Connect",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis IV Prep",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis JITrBUD",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis KanBan RF",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Logistics",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Med Link Family",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedBank",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES Server",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ParAssist",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis PharmoPack",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ProcedureStation (including EC)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis StockStation",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyStation (including RF, EC, CP)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Track and Deliver",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Rowa Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
]
},
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22766",
"datePublished": "2022-02-11T18:12:07.247407Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T19:15:26.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}