cvelistv5 - cve-2020-10598

CVE-2020-10598 (GCVE-0-2020-10598)

Vulnerability from cvelistv5 – Published: 2020-04-01 20:59 – Updated: 2024-08-04 11:06

Summary

In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.

Severity ?

No CVSS data available.

CWE

CWE-693 - PROTECTION MECHANISM FAILURE CWE-693

Assigner

icscert

References

URL

Tags

https://www.us-cert.gov/ics/advisories/icsma-20-091-01

x_refsource_MISC

Impacted products

Vendor

Product

Version

Becton, Dickinson and Company (BD)

Pyxis MedStation ES System

Affected: v1.6.1

Becton, Dickinson and Company (BD)

Pyxis Anesthesia (PAS) ES System

Affected: v1.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:10.174Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pyxis MedStation ES System",
          "vendor": "Becton, Dickinson and Company (BD)",
          "versions": [
            {
              "status": "affected",
              "version": "v1.6.1"
            }
          ]
        },
        {
          "product": "Pyxis Anesthesia (PAS) ES System",
          "vendor": "Becton, Dickinson and Company (BD)",
          "versions": [
            {
              "status": "affected",
              "version": "v1.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-693",
              "description": "PROTECTION MECHANISM FAILURE CWE-693",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T20:59:36",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-10598",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pyxis MedStation ES System",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "v1.6.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Pyxis Anesthesia (PAS) ES System",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "v1.6.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Becton, Dickinson and Company (BD)"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "PROTECTION MECHANISM FAILURE CWE-693"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-10598",
    "datePublished": "2020-04-01T20:59:36",
    "dateReserved": "2020-03-16T00:00:00",
    "dateUpdated": "2024-08-04T11:06:10.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:bd:pyxis_medstation_es_firmware:1.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D2FB9A03-78B0-4756-B847-94E2B4FC52CD\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CFB63AC0-5A51-494D-BDFA-BFD4B66A44D9\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:1.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD02216F-7EA2-48DF-8C6A-BC9E27367065\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32F3ACBB-87CA-43D2-8E32-2656BDCFEB8D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.\"}, {\"lang\": \"es\", \"value\": \"En BD Pyxis MedStation ES System versi\\u00f3n v1.6.1 y Pyxis Anesthesia (PAS) ES System versi\\u00f3n v1.6.1, presenta una vulnerabilidad de escape de entorno de escritorio restringido en la funcionalidad de kiosk mode de los dispositivos afectados. Unas entradas especialmente dise\\u00f1adas pueden permitir al usuario escapar del entorno restringido, resultando en el acceso a datos confidenciales.\"}]",
      "id": "CVE-2020-10598",
      "lastModified": "2024-11-21T04:55:40.320",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 3.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-01T21:15:13.880",
      "references": "[{\"url\": \"https://www.us-cert.gov/ics/advisories/icsma-20-091-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsma-20-091-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-693\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-10598\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-04-01T21:15:13.880\",\"lastModified\":\"2024-11-21T04:55:40.320\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.\"},{\"lang\":\"es\",\"value\":\"En BD Pyxis MedStation ES System versi\u00f3n v1.6.1 y Pyxis Anesthesia (PAS) ES System versi\u00f3n v1.6.1, presenta una vulnerabilidad de escape de entorno de escritorio restringido en la funcionalidad de kiosk mode de los dispositivos afectados. Unas entradas especialmente dise\u00f1adas pueden permitir al usuario escapar del entorno restringido, resultando en el acceso a datos confidenciales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":3.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-693\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:bd:pyxis_medstation_es_firmware:1.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2FB9A03-78B0-4756-B847-94E2B4FC52CD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFB63AC0-5A51-494D-BDFA-BFD4B66A44D9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:1.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD02216F-7EA2-48DF-8C6A-BC9E27367065\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32F3ACBB-87CA-43D2-8E32-2656BDCFEB8D\"}]}]}],\"references\":[{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-091-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-091-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

GSD-2020-10598

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-10598

Aliases

CVE-2020-10598

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-10598",
    "description": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.",
    "id": "GSD-2020-10598"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-10598"
      ],
      "details": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.",
      "id": "GSD-2020-10598",
      "modified": "2023-12-13T01:22:04.204971Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2020-10598",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Pyxis MedStation ES System",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "v1.6.1"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Pyxis Anesthesia (PAS) ES System",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "v1.6.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Becton, Dickinson and Company (BD)"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "PROTECTION MECHANISM FAILURE CWE-693"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01",
            "refsource": "MISC",
            "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:bd:pyxis_medstation_es_firmware:1.6.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:1.6.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-10598"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 0.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2021-09-14T13:35Z",
      "publishedDate": "2020-04-01T21:15Z"
    }
  }
}

CNVD-2020-35521

Vulnerability from cnvd - Published: 2020-07-01

Title

Pyxis MedStation ES System和Pyxis Anesthesia ES System信息泄露漏洞

Description

BD Pyxis MedStation ES System和Pyxis Anesthesia (PAS) ES System都是美国碧迪医疗（BD）公司的产品。Pyxis MedStation ES System是一套支持分散式药物管理的自动化药物分配系统。Pyxis Anesthesia (PAS) ES System是一套麻醉药物分配系统。 Pyxis MedStation ES System v1.6.1版本和Pyxis Anesthesia (PAS) ES System v1.6.1版本中的kiosk模式功能存在安全漏洞。攻击者可借助特制的输入利用该漏洞绕过被限制的环境，访问敏感信息。

Severity

低

Patch Name

Pyxis MedStation ES System和Pyxis Anesthesia ES System信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.bd.com/

Reference

https://www.us-cert.gov/ics/advisories/icsma-20-091-01

Impacted products

Name
['BD Pyxis Anesthesia (PAS) ES System 1.6.1', 'BD Pyxis MedStation ES System 1.6.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10598"
    }
  },
  "description": "BD Pyxis MedStation ES System\u548cPyxis Anesthesia (PAS) ES System\u90fd\u662f\u7f8e\u56fd\u78a7\u8fea\u533b\u7597\uff08BD\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Pyxis MedStation ES System\u662f\u4e00\u5957\u652f\u6301\u5206\u6563\u5f0f\u836f\u7269\u7ba1\u7406\u7684\u81ea\u52a8\u5316\u836f\u7269\u5206\u914d\u7cfb\u7edf\u3002Pyxis Anesthesia (PAS) ES System\u662f\u4e00\u5957\u9ebb\u9189\u836f\u7269\u5206\u914d\u7cfb\u7edf\u3002\n\nPyxis MedStation ES System v1.6.1\u7248\u672c\u548cPyxis Anesthesia (PAS) ES System v1.6.1\u7248\u672c\u4e2d\u7684kiosk\u6a21\u5f0f\u529f\u80fd\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8f93\u5165\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u88ab\u9650\u5236\u7684\u73af\u5883\uff0c\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.bd.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-35521",
  "openTime": "2020-07-01",
  "patchDescription": "BD Pyxis MedStation ES System\u548cPyxis Anesthesia (PAS) ES System\u90fd\u662f\u7f8e\u56fd\u78a7\u8fea\u533b\u7597\uff08BD\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Pyxis MedStation ES System\u662f\u4e00\u5957\u652f\u6301\u5206\u6563\u5f0f\u836f\u7269\u7ba1\u7406\u7684\u81ea\u52a8\u5316\u836f\u7269\u5206\u914d\u7cfb\u7edf\u3002Pyxis Anesthesia (PAS) ES System\u662f\u4e00\u5957\u9ebb\u9189\u836f\u7269\u5206\u914d\u7cfb\u7edf\u3002\r\n\r\nPyxis MedStation ES System v1.6.1\u7248\u672c\u548cPyxis Anesthesia (PAS) ES System v1.6.1\u7248\u672c\u4e2d\u7684kiosk\u6a21\u5f0f\u529f\u80fd\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8f93\u5165\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u88ab\u9650\u5236\u7684\u73af\u5883\uff0c\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pyxis MedStation ES System\u548cPyxis Anesthesia ES System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "BD Pyxis Anesthesia (PAS) ES System 1.6.1",
      "BD Pyxis MedStation ES System 1.6.1"
    ]
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01",
  "serverity": "\u4f4e",
  "submitTime": "2020-04-01",
  "title": "Pyxis MedStation ES System\u548cPyxis Anesthesia ES System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-FQJR-2CV5-P732

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-10598"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-01T21:15:00Z",
    "severity": "LOW"
  },
  "details": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.",
  "id": "GHSA-fqjr-2cv5-p732",
  "modified": "2022-05-24T17:13:02Z",
  "published": "2022-05-24T17:13:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10598"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

ICSMA-20-091-01

Vulnerability from csaf_cisa - Published: 2020-03-31 00:00 - Updated: 2020-03-31 00:00

Summary

BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

The affected BD medical devices utilize a method of software application implementation called kiosk mode. This kiosk mode is vulnerable to local breakouts, which could allow an attacker with physical access to bypass kiosk mode and view and/or modify sensitive data.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "BD"
        ],
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "The affected BD medical devices utilize a method of software application implementation called kiosk mode. This kiosk mode is vulnerable to local breakouts, which could allow an attacker with physical access to bypass kiosk mode and view and/or modify sensitive data.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-20-091-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-091-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-20-091-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-091-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.fda.gov/medical-devices/digital-health/cybersecurity"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System",
    "tracking": {
      "current_release_date": "2020-03-31T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-20-091-01",
      "initial_release_date": "2020-03-31T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-03-31T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-20-091-01 BD Pyxis MedStation and Anesthesia (PAS) ES System"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.6.1",
                "product": {
                  "name": "Pyxis Anesthesia (PAS) ES System: v1.6.1",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Pyxis Anesthesia (PAS) ES System"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.6.1",
                "product": {
                  "name": "Pyxis MedStation ES System: v1.6.1",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Pyxis MedStation ES System"
          }
        ],
        "category": "vendor",
        "name": "Becton, Dickinson and Company (BD)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-10598",
      "cwe": {
        "id": "CWE-693",
        "name": "Protection Mechanism Failure"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.CVE-2020-10598 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10598"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Additionally, BD is in the process of deploying a security update that strengthens kiosk mode to limit currently known methods of kiosk escape in Pyxis MedStation and Pyxis Anesthesia (PAS) ES System Version 1.6.1. Access to tools for viewing or manipulating local resources will be restricted.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For more information on this issue, please see the associated BD product security bulletin on the BD website.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

FKIE_CVE-2020-10598

Vulnerability from fkie_nvd - Published: 2020-04-01 21:15 - Updated: 2024-11-21 04:55

Severity ?

6.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://www.us-cert.gov/ics/advisories/icsma-20-091-01	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://www.us-cert.gov/ics/advisories/icsma-20-091-01	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
bd	pyxis_medstation_es_firmware	1.6.1
bd	pyxis_medstation_es	-
bd	pyxis_anesthesia_station_es_firmware	1.6.1
bd	pyxis_anesthesia_station_es	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:bd:pyxis_medstation_es_firmware:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2FB9A03-78B0-4756-B847-94E2B4FC52CD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:bd:pyxis_medstation_es:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFB63AC0-5A51-494D-BDFA-BFD4B66A44D9",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD02216F-7EA2-48DF-8C6A-BC9E27367065",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:bd:pyxis_anesthesia_station_es:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "32F3ACBB-87CA-43D2-8E32-2656BDCFEB8D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
    },
    {
      "lang": "es",
      "value": "En BD Pyxis MedStation ES System versi\u00f3n v1.6.1 y Pyxis Anesthesia (PAS) ES System versi\u00f3n v1.6.1, presenta una vulnerabilidad de escape de entorno de escritorio restringido en la funcionalidad de kiosk mode de los dispositivos afectados. Unas entradas especialmente dise\u00f1adas pueden permitir al usuario escapar del entorno restringido, resultando en el acceso a datos confidenciales."
    }
  ],
  "id": "CVE-2020-10598",
  "lastModified": "2024-11-21T04:55:40.320",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-01T21:15:13.880",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-091-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-693"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-10598 (GCVE-0-2020-10598)

GSD-2020-10598

CNVD-2020-35521

GHSA-FQJR-2CV5-P732

ICSMA-20-091-01

FKIE_CVE-2020-10598

Tags

Sightings

Nomenclature