Missing Authentication for Critical Function in Baxter products - CVE-2022-26394

 

Missing Authentication for Critical Function in Baxter products - CVE-2022-26394

Published: September 9, 2022


Vulnerability identifier: #VU67150
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-26394
CWE-ID: CWE-306
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Baxter
Affected software:
Sigma Spectrum model 35700BAX
Sigma Spectrum model 35700BAX2
Baxter Spectrum IQ model 35700BAX3
Baxter Spectrum IQ LVP with Wireless Battery Modules
Sigma Spectrum LVP Wireless Battery Modules

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not perform mutual authentication with the gateway server host. A remote user on the local network can perform a machine-in-the-middle attack that modifies parameters and make the network connection fail.


How to mitigate CVE-2022-26394

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources