Use of Hard-coded Password in PrismaFlex and PrisMax - CVE-2020-12037

 

Use of Hard-coded Password in PrismaFlex and PrisMax - CVE-2020-12037

Published: June 19, 2020


Vulnerability identifier: #VU29156
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-12037
CWE-ID: CWE-259
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Baxter
Affected software:
PrismaFlex
PrisMax

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentionaly sensitive information. 

The vulnerability exists due to the affected device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configurations. An authenticated attacker with physical access can use these credentials to modify device settings and calibration.


How to mitigate CVE-2020-12037

Install updates from vendor's website.

Sources