Multiple vulnerabilities in Baxter PrismaFlex and PrisMax



Published: 2020-06-19
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-12036
CVE-2020-12035
CVE-2020-12037
CWE-ID CWE-319
CWE-287
CWE-259
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
PrismaFlex
Hardware solutions / Medical equipment

PrisMax
Hardware solutions / Medical equipment

Vendor Baxter

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Cleartext transmission of sensitive information

EUVDB-ID: #VU29154

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12036

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. A remote attacker can gain access to sensitive data, such as treatment data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PrismaFlex: before 8.2

PrisMax: before 3.0


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-02

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper Authentication

EUVDB-ID: #VU29155

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12035

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper authentication when configured to send treatment data to a PDMS or an EMR system. A remote attacker can bypass authentication process and modify treatment status information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PrismaFlex: before 8.2

PrisMax: before 3.0


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-02

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Use of Hard-coded Password

EUVDB-ID: #VU29156

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12037

CWE-ID: CWE-259 - Use of Hard-coded Password

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentionaly sensitive information. 

The vulnerability exists due to the affected device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configurations. An authenticated attacker with physical access can use these credentials to modify device settings and calibration.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PrismaFlex: before 8.2

PrisMax: before 3.0


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-02

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###