Multiple vulnerabilities in Baxter ExactaMix



Published: 2020-06-19
Risk Medium
Patch available NO
Number of vulnerabilities 4
CVE-ID CVE-2020-12016
CVE-2020-12012
CVE-2020-12024
CVE-2020-12020
CWE-ID CWE-259
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ExactaMix EM2400
Hardware solutions / Medical equipment

ExactaMix EM1200
Hardware solutions / Medical equipment

Vendor Baxter

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Use of Hard-coded Password

EUVDB-ID: #VU29168

Risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-12016

CWE-ID: CWE-259 - Use of Hard-coded Password

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentionaly sensitive information. 

The vulnerability exists due to the affected software has hard-coded administrative account credentials for the ExactaMix operating system. A remote attacker can use these credentials to view sensitive data including PHI.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ExactaMix EM2400: 1.10 - 1.14

ExactaMix EM1200: 1.1 - 1.5


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Hard-coded Password

EUVDB-ID: #VU29169

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-12012

CWE-ID: CWE-259 - Use of Hard-coded Password

Exploit availability: No

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the affected software has hard-coded administrative account credentials for the ExactaMix application. An attacker with physical access can use these credentials to gain unauthorized access to view/update system configuration or data.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ExactaMix EM2400: 1.10 - 1.13

ExactaMix EM1200: 1.1 - 1.4


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-01

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper access control

EUVDB-ID: #VU29172

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-12024

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the USB interface. An attacker with physical access can load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ExactaMix EM2400: 1.10 - 1.14

ExactaMix EM1200: 1.1 - 1.5


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-01

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Exposure of Resource to Wrong Sphere

EUVDB-ID: #VU29173

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-12020

CWE-ID: -

Exploit availability: No

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the affected software does not restrict non administrative users from gaining access to the operating system and editing the application startup script. A local user can alter the startup script as the limited-access user.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ExactaMix EM2400: 1.10 - 1.13

ExactaMix EM1200: 1.1 - 1.4


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-170-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###