SB2020061920 - Multiple vulnerabilities in Baxter ExactaMix
Published: June 19, 2020 Updated: June 19, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Use of Hard-coded Password (CVE-ID: CVE-2020-12016)
The vulnerability allows a remote attacker to gain access to potentionaly sensitive information.
The vulnerability exists due to the affected software has hard-coded administrative account credentials for the ExactaMix operating system. A remote attacker can use these credentials to view sensitive data including PHI.
2) Use of Hard-coded Password (CVE-ID: CVE-2020-12012)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the affected software has hard-coded administrative account credentials for the ExactaMix application. An attacker with physical access can use these credentials to gain unauthorized access to view/update system configuration or data.
3) Improper access control (CVE-ID: CVE-2020-12024)
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the USB interface. An attacker with physical access can load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS.
4) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2020-12020)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the affected software does not restrict non administrative users from gaining access to the operating system and editing the application startup script. A local user can alter the startup script as the limited-access user.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.