The Pyxis Supplystation from Carefusion is an automated pharmaceutical drug cabinet system that's still widely used despite being end-of-lifed by its manufacturer -- a new report from CERT discloses that independent researchers Billy Rios and Mike Ahmadi have found over 1,400 critical remote-attack vulnerabilities.
Many of the vulnerabilities need very little skill to exploit and the researchers say they believe they're already being exploited in the wild, with exploits being publicly available.
The cabinets are based on Microsoft's discontinued Windows XP/Server 2000 products. Carefusion will not issue patches for the old systems, but they have provided some advice to help customers mitigate the risk from these bugs (things like using VPNs, having a firewall, etc).
Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system. The SupplyStation system is designed to maintain critical functionality and provide access to supplies in “fail-safe mode” in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
CareFusion Pyxis SupplyStation System Vulnerabilities [CERT]
1,400+ vulnerabilities found in automated medical supply system
[Zeljka Zorz/Helpnet Security]
We got one of these gadgets from The Lakeside Collection and it broke on the first use. It turns out the screw neck is made of the cheapest plastic known to man and is doomed to failure upon contact with anything harder than snow, such as ice, wipers, mirrors, roofracks, antennas, and so on. Worse, […]
It’s a very expensive wee gadget, the Teenage Engineering OP-1 [Amazon link; a used one from eBay is much cheaper]! Yuri Wong is an expert with its sampling and sequencing tools, and this video he uploaded is a fascinating illustration of how powerful and approachable they are. Download the mp3: https://gum.co/imadude [Logic Project download link […]
In the wake of this week's Motherboard scoop that the major US carriers sell customers' location data to marketing companies that sell it on to bounty hunters and other unsavory characters, Google has disclosed that they have told the carriers that supply service for its Google Fi mobile virtual network operator (MVNO) that they expect […]
For the newbie, Python can seem like the most intimidating programming language. After all, it can be used to create everything from simple apps to vast networks of web crawlers. But there are fundamental principles that underlie all the uses of this versatile platform, and you can absorb them all with the Python Master Class […]
Building a website on WordPress has always been easy. But if you really want to make your website stand out from the growing crowd, you’re going to need some help. For our money, a subscription to Storeshock WordPress Themes & Elements does the trick almost as well as having a pro designer by your side […]
These days, there isn’t much our iPhone camera can’t do – except feel like an actual phone. Despite years of steadily increasing resolution and image sensing technology, we’re still taking shots awkwardly with two hands, fumbling for the shutter button. Leave it to an avid photographer to design Shuttercase, a versatile iPhone case that solves […]