Legion of demons found in ancient auto medical supply dispensing cabinets

Updated Consider this a reminder that end-of-life software doesn't get patches: researchers have turned up more than 1,400 vulnerabilities in a widespread automatic medical supply dispensing system from CareFusion, because old units are still running Windows XP.

The computer-controlled dispensing cabinets are installed in hospitals and pharmacies around the world. In large deployments, they can be connected as a network of dispensary workstations that report usage in real time – incidentally providing a vector for remote attacks.

Long-time researcher Billy Rios (formerly of Cylance and Qualys, now with Whitescope) worked with Mike Ahmadi (Synopsis) on the independent project.

They bought secondhand CareFusion Pyxis SupplyStation systems [PDF] and ran them through an automated software composition analysis tool.

Finding vulns in outdated software would be considered a stunt-hack in many contexts, but the healthcare sector has a long and well-documented habit of leaving dead systems in operation.

It probably won't surprise readers that there's a common factor in the vulnerable systems: Pyxis SupplyStation system server software Version 8.0 and 8.1.3 2003 and 9.0 through 9.3 2003 all run on Windows XP.

As this ICS-CERT advisory states, “Version 9.3, Version 9.4, and Version 10.0 of the Pyxis SupplyStation systems that operate on Server 2008/Server 2012/Windows 7 do not contain the reported vulnerabilities”.

A bunch of third-party packages become vulnerable as a result of what Rios and Ahmadi turned up, including BMC Appsight, SAP Crystal Reports, Installshield, Sybase SQL Anywhere, Symantec Antivirus and Symantec pcAnywhere – because, of course, none of these vendors are patching XP products.

The cold equations include 715 bugs with a CVSS (common vulnerability scoring system) base score higher than 7.0, 606 rated between 4.0 and 6.9, and 97 “low risk” vulnerabilities between 0-3.9.

The advisory notes that while an attacker could exploit the flaws to remotely access the system, what could be done from there varies widely on how the individual machine is configured and used. The researchers note each SupplyStation has a "fail-safe" mode that allows control with physical keys.

Windows XP is a millstone around the neck of many healthcare systems. Earlier this year, an Australian hospital had its pathology systems crippled by a virus rampaging through the ancient operating system. ®