Legion of demons found in ancient auto drug dispensing cabinets
Consider this a reminder that end-of-life software doesn’t get patches: researchers have turned up more than 1,400 vulnerabilities in a widespread automatic drug dispensing system from CareFusion, because old units are still running Windows XP.
The computer-controlled dispensing cabinets are installed in hospitals and pharmacies around the world. In large deployments, they can be connected as a network of dispensary workstations that report usage in real time – incidentally providing a vector for remote attacks.
Long time researcher Billy Rios (formerly of Cylance and Qualys, now with Whitescope) worked with Mike Ahmadi (Synopsis) on the independent project.
They bought secondhand CareFusion Pyxis SupplyStation systems and ran them through an automated software composition analysis tool.
Finding vulns in outdated software would be considered a stunt-hack in many contexts, but the healthcare sector has a long and well-documented habit of leaving dead systems in operation.
It probably won’t surprise readers that there’s a common factor in the vulnerable systems: Pyxis SupplyStation system server software Version 8.0 and 8.1.3 2003 and 9.0 through 9.3 2003 all run on Windows XP.
As this ICS-CERT advisory states, “Version 9.3, Version 9.4, and Version 10.0 of the Pyxis SupplyStation systems that operate on Server 2008/Server 2012/Windows 7 do not contain the reported vulnerabilities”.
A bunch of third-party packages become vulnerable as a result of what Rios and Ahmadi turned up, including BMC Appsight, SAP Crystal Reports, Installshield, Sybase SQL Anywhere, Symantec Antivirus and Symantec pcAnywhere – because, of course, none of these vendors are patching XP products.
The cold equations include 715 bugs with a CVSS (common vulnerability scoring system) base score higher than 7.0, 606 rated between 4.0 and 6.9, and 97 “low risk” vulnerabilities between 0-3.9.
Because of the huge number of vulnerabilities, the advisory doesn’t list the possible impact of exploits.
Windows XP is a millstone around the neck of many healthcare systems. Earlier this year, an Australian hospital had its pathology systems crippled by a virus rampaging through the ancient operating system. ®