SB2024111944 - Multiple vulnerabilities in Baxter Life2000 Ventilation System
Published: November 19, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-9834)
The vulnerability allows a local attacker to gain access to sensitive information.
The vulnerability exists due to improper data protection on the ventilator's serial interface. A local attacker can send and receive specially crafted messages to gain access to sensitive information, leading to unintended impact on device settings and performance.
2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2024-9832)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts within the Clinician Password or the Serial Number Clinician Password. A local attacker can conduct brute force attacks to gain unauthorized access to the ventilator and gain access to the system.
3) Use of hard-coded credentials (CVE-ID: CVE-2024-48971)
The vulnerability allows a local attacker to gain full access to vulnerable system.
The vulnerability exists due to the Clinician Password and Serial Number Clinician Password are hard-coded credentials in application code. A local unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Improper Physical Access Control (CVE-ID: CVE-2024-48973)
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the debug port on the ventilator's serial interface is enabled by default. A local attacker can send and receive specially crafted messages over the debug port to gain access to sensitive information, leading to unintended impact on device settings and performance.
5) Download of code without integrity check (CVE-ID: CVE-2024-48974)
The vulnerability allows a local attacker to compromise the affected system
The vulnerability exists due to the ventilator does not perform proper file integrity checks when adopting firmware updates. A local attacker can changes to the device's configuration settings and/or compromise device functionality after a successful software update.
6) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2024-48970)
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the ventilator's microcontroller lacks memory protection. A local attacker can connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool.
7) Information disclosure (CVE-ID: CVE-2020-8004)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the flash memory read-out protection feature on the microcontroller does not block memory access via the ICode bus. A remote attacker can gain unauthorized access to sensitive information on the system.
8) Missing Authentication for Critical Function (CVE-ID: CVE-2024-48966)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the software tools used by service personnel to test & calibrate the ventilator do not support user authentication. A remote attacker can obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software.
9) Insufficient Logging (CVE-ID: CVE-2024-48967)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. A remote attacker can make unauthorized changes to ventilator settings.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.