SB2022090915 - Multiple vulnerabilities in Baxter Sigma Spectrum Infusion Pump

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-26390)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application stores network credentials and patient health information (PHI) in unencrypted form. An attacker with physical access can gain unauthorized access to sensitive information on the system.

2) Format string error (CVE-ID: CVE-2022-26392)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a format string error within the application messaging when in superuser mode. A remote user can read memory in the WBM and access sensitive information.

3) Missing Authentication for Critical Function (CVE-ID: CVE-2022-26394)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not perform mutual authentication with the gateway server host. A remote user on the local network can perform a machine-in-the-middle attack that modifies parameters and make the network connection fail.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://ics-cert.us-cert.gov/advisories/icsma-22-251-01
• https://www.baxter.com/sites/g/files/ebysai3896/files/2022-09/ICSMA-22-251-01.pdf