SB2020061906 - Multiple vulnerabilities in Baxter PrismaFlex and PrisMax

Security Bulletin ID SB2020061906

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2020-12036)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. A remote attacker can gain access to sensitive data, such as treatment data.

2) Improper Authentication (CVE-ID: CVE-2020-12035)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper authentication when configured to send treatment data to a PDMS or an EMR system. A remote attacker can bypass authentication process and modify treatment status information.

3) Use of Hard-coded Password (CVE-ID: CVE-2020-12037)

The vulnerability allows a local user to gain access to potentionaly sensitive information.

The vulnerability exists due to the affected device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configurations. An authenticated attacker with physical access can use these credentials to modify device settings and calibration.

Remediation

Install update from vendor's website.

References

https://ics-cert.us-cert.gov/advisories/icsma-20-170-02