Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2149
Baxter Multiple Vulnerabilities
22 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Phoenix Hemodialysis Delivery System
PrisMax
Sigma Spectrum Infusion Pumps
ExactaMix
PrismaFlex
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Root Compromise -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12047 CVE-2020-12045 CVE-2020-12043
CVE-2020-12041 CVE-2020-12040 CVE-2020-12039
Original Bulletin:
https://www.us-cert.gov/ics/advisories/icsma-20-170-01
https://www.us-cert.gov/ics/advisories/icsma-20-170-02
https://www.us-cert.gov/ics/advisories/icsma-20-170-03
https://www.us-cert.gov/ics/advisories/icsma-20-170-04
Comment: This bulletin contains four (4) US-CERT security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Medical Advisory (ICSMA-20-170-01)
Baxter ExactaMix
Original release date: June 18, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.1
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Baxter
o Equipment: Baxter ExactaMix EM 2400 & EM 1200
o Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of
Sensitive Data, Missing Encryption of Sensitive Data, Improper Access
Control, Exposure of Resource to Wrong Sphere, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in unauthorized
access to sensitive data, alteration of system configuration, alteration of
system resources, and impact to system availability.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Baxter ExactaMix Systems, are affected:
o ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14,
o ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED PASSWORD CWE-259
Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200
Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account
credentials for the ExactaMix operating system. Successful exploitation of this
vulnerability may allow an attacker who has gained unauthorized access to
system resources, including access to execute software or to view/update files,
directories, or system configuration. This could allow an attacker with network
access to view sensitive data including PHI.
CVE-2020-12016 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.1 USE OF HARD-CODED PASSWORD CWE-259
Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200
Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account
credentials for the ExactaMix operating system. Successful exploitation of this
vulnerability may allow an attacker who has gained unauthorized access to
system resources, including access to execute software or to view/update files,
directories, or system configuration. This could allow an attacker with network
access to view sensitive data including PHI.
CVE-2020-12016 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 USE OF HARD-CODED PASSWORD CWE-259
Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200
Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials
for the ExactaMix application. Successful exploitation of this vulnerability
may allow an attacker with physical access to gain unauthorized access to view/
update system configuration or data. This
could impact confidentiality and integrity of the system and risk exposure of
sensitive information including PHI.
CVE-2020-12012 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319
Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1,
1.2 systems use cleartext messages to communicate order information with an
order entry system. This could allow an attacker with network access to view
sensitive data including PHI.
CVE-2020-12008 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).
3.2.4 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1,
1.2 systems store device data with sensitive information in an unencrypted
database. This could allow an attacker with network access to view or modify
sensitive data including PHI.
CVE-2020-12032 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.5 IMPROPER ACCESS CONTROL CWE-284
Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200
Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface
from an unauthorized user with physical access. Successful exploitation of this
vulnerability may allow an attacker with physical access to the system the
ability to load an unauthorized payload or unauthorized access to the hard
drive by booting a live USB OS. This could impact confidentiality and integrity
of the system and risk exposure of sensitive information including PHI.
CVE-2020-12024 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.6 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix EM1200
Versions 1.1, 1.2, and 1.4 does not restrict non administrative users from
gaining access to the operating system and editing the application startup
script. Successful exploitation of this vulnerability may allow an attacker to
alter the startup script as the limited-access user.
CVE-2020-12020 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:N/I:L/A:H ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1,
1.2 does not validate or incorrectly validates input via the SMBv1 port that
can affect the control flow or data flow of a system. The SMBv1 input
validation vulnerabilities could allow a remote attacker to gain unauthorized
access to sensitive information, create denial of service conditions, or
execute arbitrary code.For details, refer to Microsoft Security Bulletin
MS17-010 and NCCIC WannaCry fact sheet .
CVE-2017-0143 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Baxter Healthcare reported these vulnerabilities to CISA.
4. MITIGATIONS
Baxter recommends that users of the ExactaMix EM 2400 Versions 1.10 and 1.11,
and ExactaMix EM1200 Versions 1.1 and 1.2, should contact the service support
team or regional product service support to upgrade to the ExactaMix Version
1.4 (EM1200) and ExactaMix Version 1.13 (EM2400) compounders.
For all users, Baxter recommends the following compensating controls including,
but not limited to:
o Ensure appropriate physical controls within user's environments to protect
against unauthorized access to devices.
o Ensure ExactaMix Compounder passwords are kept confidential. Users should
implement administrative controls to ensure they are not misused,
mismanaged, or otherwise shared with unauthorized individuals.
o The device should be used only in accordance with its intended use and not
for email, Internet access, file sharing, or other non-approved use. No
software of any kind should be installed on the device unless approved, in
writing, by Baxter.
o The ExactaMix Compounder should be segmented from the enterprise main
network, and block all non-required communication via firewall and ACL
configuration.
o Users should follow standard guidance to ensure security patches are up to
date across the network.
o Users should follow proper backup and storage procedures to maintain the
integrity of data utilized with the ExactaMix Compounder.
Baxter separately provided an ExactaMix Cybersecurity Guide, instructing users
on good cybersecurity practices relevant to the use of the ExactaMix product.
The guide can be requested from productsecurity@baxter.com
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o Where additional information is needed, refer to existing cybersecurity in
medical device guidance issued by the FDA .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- -------------------------------------------------------------------------------
ICS Medical Advisory (ICSMA-20-170-02)
Baxter PrismaFlex and PrisMax
Original release date: June 18, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.6
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Baxter
o Equipment: PrismaFlex and PrisMax
o Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper
Authentication, Use of Hard-Coded Password
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow an attacker with
network access to view and alter sensitive data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following models and versions of Baxter medical systems, are affected:
o PrismaFlex all versions
o PrisMax all versions prior to 3.x
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
The affected devices do not implement data-in-transit encryption (e.g., TLS/
SSL) when configured to send treatment data to a PDMS (Patient Data Management
System) or an EMR (Electronic Medical Record) system. An attacker could observe
sensitive data sent from the device.
CVE-2020-12036 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:H/I:N/A:N ).
3.2.2 IMPROPER AUTHENTICATION CWE-287
The affected devices do not require authentication when configured to send
treatment data to a PDMS or an EMR system. This could allow an attacker to
modify treatment status information.
CVE-2020-12035 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:H/I:L/A:L ).
3.2.3 USE OF HARD-CODED PASSWORD CWE-259
The PrismaFlex device contains a hard-coded service password that provides
access to biomedical information, device settings, calibration settings, and
network configuration. This could allow an attacker to modify device settings
and calibration.
CVE-2020-12037 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:L/UI:N/S:U/
C:H/I:L/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Baxter reported these vulnerabilities to CISA.
4. MITIGATIONS
For PrismaFlex, Baxter recommends users update to Version SW 8.2x or later. The
hard-coded service password vulnerability has been remediated in PrismaFlex
Versions SW 8.2
For PrisMax, Baxter recommends users upgrade to PrisMaxv3 with DCM (Digital
Communication Module), which supports mutually authenticated TLS tunnel to a
PDMS or EMR system capable of implementing the latest TLS 1.2.
Additionally, Baxter recommends users of affected devices implement the
following best practices:
o Physical access to the device should be limited only to authorized users.
o Personnel granted elevated privileges on all medical devices should not
share credentials.
o Ensure that medical device implementations and configurations employ
cybersecurity defense-in-depth strategies such as:
Network segmentation
Firewalling each network segment, limiting inbound and outbound
connections
Scanning for unauthorized network access
Scanning for vulnerabilities and viruses
Baxter also recommends that if a PDMS or EMR system is used with the affected
devices, users should verify compatibility between the two systems. Users
should also identify, analyze, evaluate, and control all risks associated with
integration of medical devices in an enterprise network. Subsequent changes to
the enterprise network could introduce new risks and require new analysis. The
use of a PDMS or EMR system not compatible with the PrismaFlex and PrisMax
systems can result in the presentation of erroneous data.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Locate medical system networks and remote devices behind firewalls; isolate
them from the business network.
o Where additional information is needed, refer to existing cybersecurity in
medical device guidance issued by the FDA .
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- -------------------------------------------------------------------------------
ICS Medical Advisory (ICSMA-20-170-03)
Baxter Phoenix Hemodialysis Delivery System
Original release date: June 18, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.5
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Baxter
o Equipment: Phoenix Hemodialysis Delivery System
o Vulnerability: Cleartext Transmission of Sensitive Information
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with
unauthorized network access to view sensitive data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of the Phoenix Hemodialysis Delivery System are
affected:
o Phoenix Hemodialysis Delivery System SW 3.36 and 3.40
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319
The Phoenix Hemodialysis device does not support data-in-transit encryption
(e.g., TLS/SSL) when transmitting treatment and prescription data on the
network between the Phoenix system and the Exalis dialysis data management
tool. An attacker with access to the network could observe sensitive treatment
and prescription data sent between the Phoenix system and the Exalis tool.
CVE-2020-12048 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Baxter reported this vulnerability to CISA.
4. MITIGATIONS
Baxter recommends users apply the following implementation guidance:
o Ensure medical device implementations and configurations employ
cybersecurity defense-in-depth strategies such as:
o Ensure proper network segmentation as outlined in the operating manual.
Ensure Phoenix machines and Exalis Server PCs reside on a dedicated
subnetwork (the machines and the Exalis servers must be the ONLY devices
present within it).
o In case of remote connection (WAN), keep the subnetwork dedicated by using
a VPN network connection.
o Firewall each network segment, limiting inbound and outbound connections.
o Scan for unauthorized network access.
o Scan for vulnerabilities and viruses.
Users should also identify, analyze, evaluate, and control all risks associated
with integration of medical devices in an enterprise network. Subsequent
changes to the enterprise network could introduce new risks and require new
analysis.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o Where additional information is needed, refer to existing cybersecurity in
medical device guidance issued by the FDA .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- -------------------------------------------------------------------------------
ICS Medical Advisory (ICSMA-20-170-04)
Baxter Sigma Spectrum Infusion Pumps
Original release date: June 18, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.6
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Baxter
o Equipment: Sigma Spectrum Infusion Pumps
o Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of
Sensitive Data, Incorrect Permission Assignment for Critical Resource,
Operation on a Resource After Expiration or Release
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in access to
sensitive data, alteration of system configuration, and impact to system
availability.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Sigma Spectrum Infusion systems, are affected:
o Sigma Spectrum v6.x model 35700BAX
o Baxter Spectrum v8.x model 35700BAX2
o Sigma Spectrum v6.x with Wireless Battery Modules v9, v11, v13, v14, v15,
v16, v20D29, v20D30, v20D31, and v22D24
o Baxter Spectrum v8.x with Wireless Battery Modules v17, v20D29, v20D30,
v20D31, and v22D24
o Baxter Spectrum Wireless Battery Modules v17, v20D29, v20D30, v20D31, and
v22D24
o Baxter Spectrum LVP v8.x with Wireless Battery Modules v17, v20D29, v20D30,
v20D31, and v22D24
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED PASSWORD CWE-259
Sigma Spectrum Infusion System Version(s) 6.x (model 35700BAX) and Baxter
Spectrum Infusion System Version(s) 8.x (model 35700BAX2) contain hard-coded
passwords which, when physically entered on the keypad, provide access to
biomedical menus that include device settings, view of calibration values, and
network configuration of the Sigma Spectrum Wireless Battery Module (WBM) if
installed.
CVE-2020-12039 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319
Sigma Spectrum Infusion System Version(s) 6.x (model 35700BAX) and Baxter
Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the application
layer uses an unauthenticated clear-text communication channel to send and
receive system status and operational data. This could allow an attacker that
has circumvented network security measures to view sensitive non-private data
or to perform a man-in-the-middle attack.
CVE-2020-12040 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
3.2.3 USE OF HARD-CODED PASSWORD CWE-259
The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when used in
conjunction with a Baxter Spectrum v8.x (model 35700BAX2), operates a Telnet
service on Port 1023 with hard-coded credentials.
CVE-2020-12045 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:H ).
3.2.4 I NCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) telnet
Command-Line Interface, grants access to sensitive data stored on the WBM that
permits temporary configuration changes to network settings of the WBM, and
allows the WBM to be rebooted. Temporary configuration changes to network
settings are removed upon reboot.
CVE-2020-12041 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:H ).
3.2.5 USE OF HARD-CODED PASSWORD CWE-259
The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), when used
with a Baxter Spectrum v8.x (model 35700BAX2) in a factory-default wireless
configuration enables an FTP service with hard-coded credentials.
CVE-2020-12047 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
3.2.6 OPERATION ON A RESOURCE AFTER EXPIRATION OR RELEASE CWE-672
The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when
configured for wireless networking the FTP service operating on the WBM remains
operational until the WBM is rebooted.
CVE-2020-12043 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: United States
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Baxter Healthcare has reported these vulnerabilities to CISA.
4. MITIGATIONS
Baxter recommends ensuring appropriate physical controls within user
environments to protect against unauthorized access to devices.
Baxter recommends isolating the Spectrum Infusion Systems to its own network
VLAN to segregate the system from other hospital systems, and reduce the
probability that a threat actor could execute an adjacent attack such as a MiTM
attack against the system to observe clear-text communications.
Baxter recommends using appropriate wireless network security protocols (WPA2,
EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/
from the Spectrum Infusion System.
Users should ensure the WBM is rebooted after configuration for their network
(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds,
and then re-attaching the WBM.
Users should always monitor for and/or block unexpected traffic, such as FTP,
at network boundaries into the Spectrum-specific VLAN.
As a last resort, users may disable wireless operation of the pump. The
Spectrum Infusion System was designed to operate without network access. This
action would impact an organization's ability to rapidly deploy drug library
(formulary) updates to their pumps.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Monitor and log all network traffic attempting to reach the affected
products, to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.
o Isolate the affected products from the Internet and all untrusted systems.
o Follow good network hygiene to include appropriate network segmentation,
utilizing DMZs and properly configured firewalls.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvAbB+NLKJtyKPYoAQgINxAAgx0F51zTLUHMYWHxI2t5iHWffZFNeHic
8Bxb3tCnhidL2lhPDogCjYdKAVXiVeRyAJJdksA+6o7BjW8DQXjlPergA0gat4Oq
NGXSlUZJ3CEraVmFDJ7i3esIwDyOuyG/HrdXphpDhcCXCxeXhGlEVg63geTyVPUj
u1ivP1BA0sjM3h/bNitXO/dvZxoLEbr4aJjjb5yEtfc7Wf8BiUA3UEoTL0vyfp7K
rSIZf+on2fySjzxPmOhXQ9HllGrmZL4OTfx87ENYCEAp88elSAlK14Bo9cKUd9d7
PuU97u7nA5Xm7DflwPpczqIC/auvEJi6wrQPyL3JO1e34qKe8wY1wWWNxmRLb7+U
/ROsNhmfd+XqW3Eaww9JeGKhFFzSPdDBcrD9e14LDOZTL5ADBtv6wB2uXegVlPMS
cGu0aIw0+emBvY+GhLldr1/yEwWOAQz3zFYCBrrUQVJdbqzX30rAWKBKF3qcOaFY
4s5SXm0I2mWCAK7aGLCfLrLg53jR50aOJXK+be2PxfP5cw/U2Lq7/c17YbfibvjQ
lCLYFd6AYm8yxS7S7igSv0GmWNkkwJV7NXdcSsuJqNA6byz4LDWs2b9KA5FJsPkM
MZc0EtJ7ycl4gG44ti81CKFGuOf733czLFoSu9xyWwADetS5DXnM+crkaj/g2OtE
qRbHg0m+wLQ=
=18SW
-----END PGP SIGNATURE-----