Skip to main content
Customer Support Customer Support

1,400+ vulnerabilities found in automated medical supply system

  • March 30, 2016
  • 9 replies
  • 0 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
Zeljka Zorz - March 30, 2016
 
Security researchers have discovered 1,418 vulnerabilities in CareFusion’s Pyxis SupplyStation system – automated cabinets used to dispense medical supplies – that are still being used in the healthcare and public health sectors in the US and around the world.
 
                                       


 
The vulnerabilities can be exploited remotely by attackers with low skills, and exploits that target these vulnerabilities are publicly available, ICS-CERT has warned in an advisory.
The worst part of it is that the affected versions of the software are at end?of-life, and won’t be receiving a patch even though they are widely used.
 
Full Article
    ProTruckDriver
    Baldrick
    Ssherjj

    9 replies

    R
    Community Guide
    This thread just reinforces a previous article on Health Care facilities not being up to date on cyber security or awareness.
    ProTruckDriver
    Jasper_The_Rasper
    Ssherjj
    Ssherjj
    Moderator
    Forum|alt.badge.img+62
    • Ssherjj
    • Moderator
    • March 30, 2016
    I totally agree Anthony! You'd think these health care facilities could afford to upgrade/ update their end of life OSs! Security matters especially for Health Care!
    IMac 2021 27 in i5 Retina 5, iMac OS Sequoia (15.7.3), Security: iPads, ALIENWARE 15 R6, W11 Microsoft Windows Workstation, x64, Webroot® SecureAnywhere™ Internet Security Complete, Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester
    ProTruckDriver
    Baldrick
    Jasper_The_Rasper
    ProTruckDriver
    Moderator
    @Antus67 wrote:
    This thread just reinforces a previous article on Health Care facilities not being up to date on cyber security or awareness.

    It's the same old, same old... We always learn when it's to late or many people have to suffer or die. It's a shame. 😞
    Mac Mini, M-4, 24 GB Memory, 1 TB SSD, macOS Sequoia 15.7.3 Satechi Stand and Hub with SSD Enclosure~Backup with: Time Machine, iCloud & Portable SSD. PWM: RoboForm. 👁¿👁 Spam Annihilater 👁¿👁
    Baldrick
    Jasper_The_Rasper
    Ssherjj
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54
    I agree Anthony totally. I think sometimes they take an attitude of "if it aint broke don't fix it" well eventually things get so bad that things have to be done at short notice with no lee way and the impact is greater on the customer/clients.
    ProTruckDriver
    Baldrick
    Ssherjj
    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • March 30, 2016
    Just beggars belief that something that important could be allowed to get to that stage of 'decrepitude' security-wise. Someone in the IT deaprtment there needs shooting for allowing it. But unfortunately it is an all to recurrent issue given that these sorts of system 'evolve' over years and that many of the 'holes' get built in as part of the extensions of services, etc. ;)
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    Jasper_The_Rasper
    Ssherjj
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54

    The device was running on Windows XP, was considered EOL

     
    Mar 31, 2016 09:15 GMT  ·  By Catalin Cimpanu Devices are running on EOL Windows XP machines Because these devices were built to run a custom Windows XP build, all of these versions have reached end of life, but in many cases, the medical centers where they are deployed are continuing to use them.
     
    The researchers warned ICS-CERT, who, together with BD, CareFusion's parent company and the device's manufacturer, has issued public alerts on this topic, warning hospital to upgrade to newer devices.
     
    Out of the 1,418 vulnerabilities, security researchers say that 715 are considered to have a high severity score (CVSS between 7 and 10) while 606 are labeled with medium severity (CVSS between 4 and 6.9). Researchers and ICS-CERT specialists claim that, despite the fact that these devices are located in hospitals, attacking and exploiting Pyxis supply stations won't lead to the loss of human life.
     
    Full Article
    Baldrick
    Ssherjj
    R
    Community Guide
    The problem the hospitals don't want to bother upgrading or paying the
    cost of upgrading they feel their safe enough. Now it has bit them were
    it hurts and they still don't do anything about it.
    Baldrick
    Jasper_The_Rasper
    Ssherjj
    Ssherjj
    Moderator
    Forum|alt.badge.img+62
    • Ssherjj
    • Moderator
    • March 31, 2016
    You are right Anthony...I don't understand how the hospital can think they can get by with outdated systems especially with lack of security which is beyond belief in this day and age.
    IMac 2021 27 in i5 Retina 5, iMac OS Sequoia (15.7.3), Security: iPads, ALIENWARE 15 R6, W11 Microsoft Windows Workstation, x64, Webroot® SecureAnywhere™ Internet Security Complete, Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester
    Baldrick
    Jasper_The_Rasper
    Baldrick
    Gold VIP
    • Baldrick
    • Gold VIP
    • March 31, 2016
    Well, in a sense that is on the one hand almost criminal...but there after the cost of replacing these specialised systems can be quite extortionate...so these institutions are left with a difficult decision. :(
    Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
    Jasper_The_Rasper
    Terms & ConditionsAccessibility statement