CareFusion Pyxis SupplyStation System Vulnerabilities

CVSS 9.7 CRITICAL

CVEs (4)

CVE-2014-5422 CVE-2014-5421 CVE-2014-5420 CVE-2014-5423

CareFusion has released a new version of the hardware test tool software, Version 1.0.16, that addresses three of the reported vulnerabilities: hard-coded service password, hard-coded account password, and insecure temporary files. CareFusion has installed the new version on affected devices for customers with a current remote support service agreement. For additional information about the new version, contact CareFusion at: 1 (800) 727-6102 or email questions to (mailto:[email protected]).
Hardware test tool software, Version 1.0.16 implements two-factor authentication to mitigate the hard-coded service password and the hard-coded account password vulnerabilities by implementing an additional required login credential. The additional credential is a dynamic password that is specific to each user and subject to frequent change. CareFusion has also removed the unnecessary debugging files in the affected products.
CareFusion is not addressing the hard-coded password for the database in Version 1.0.16 because exploiting this vulnerability also requires coordinated local access to the SupplyStation system. CareFusion has resolved to address the hard-coded password vulnerability for the database in later versions.

CareFusion

CareFusion · Pyxis SupplyStation system 8.1 (hardware test tool software) <=1.0.15

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.