Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2149 Baxter Multiple Vulnerabilities 22 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Phoenix Hemodialysis Delivery System PrisMax Sigma Spectrum Infusion Pumps ExactaMix PrismaFlex Publisher: US-CERT Operating System: Network Appliance Impact/Access: Root Compromise -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-12047 CVE-2020-12045 CVE-2020-12043 CVE-2020-12041 CVE-2020-12040 CVE-2020-12039 Original Bulletin: https://www.us-cert.gov/ics/advisories/icsma-20-170-01 https://www.us-cert.gov/ics/advisories/icsma-20-170-02 https://www.us-cert.gov/ics/advisories/icsma-20-170-03 https://www.us-cert.gov/ics/advisories/icsma-20-170-04 Comment: This bulletin contains four (4) US-CERT security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Medical Advisory (ICSMA-20-170-01) Baxter ExactaMix Original release date: June 18, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.1 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Baxter o Equipment: Baxter ExactaMix EM 2400 & EM 1200 o Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Missing Encryption of Sensitive Data, Improper Access Control, Exposure of Resource to Wrong Sphere, Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in unauthorized access to sensitive data, alteration of system configuration, alteration of system resources, and impact to system availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Baxter ExactaMix Systems, are affected: o ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, o ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF HARD-CODED PASSWORD CWE-259 Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account credentials for the ExactaMix operating system. Successful exploitation of this vulnerability may allow an attacker who has gained unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration. This could allow an attacker with network access to view sensitive data including PHI. CVE-2020-12016 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.1 USE OF HARD-CODED PASSWORD CWE-259 Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account credentials for the ExactaMix operating system. Successful exploitation of this vulnerability may allow an attacker who has gained unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration. This could allow an attacker with network access to view sensitive data including PHI. CVE-2020-12016 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 USE OF HARD-CODED PASSWORD CWE-259 Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/ update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI. CVE-2020-12012 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319 Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems use cleartext messages to communicate order information with an order entry system. This could allow an attacker with network access to view sensitive data including PHI. CVE-2020-12008 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.2.4 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311 Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI. CVE-2020-12032 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.5 IMPROPER ACCESS CONTROL CWE-284 Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI. CVE-2020-12024 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.6 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668 Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 does not restrict non administrative users from gaining access to the operating system and editing the application startup script. Successful exploitation of this vulnerability may allow an attacker to alter the startup script as the limited-access user. CVE-2020-12020 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/ C:N/I:L/A:H ). 3.2.7 IMPROPER INPUT VALIDATION CWE-20 Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 does not validate or incorrectly validates input via the SMBv1 port that can affect the control flow or data flow of a system. The SMBv1 input validation vulnerabilities could allow a remote attacker to gain unauthorized access to sensitive information, create denial of service conditions, or execute arbitrary code.For details, refer to Microsoft Security Bulletin MS17-010 and NCCIC WannaCry fact sheet . CVE-2017-0143 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Baxter Healthcare reported these vulnerabilities to CISA. 4. MITIGATIONS Baxter recommends that users of the ExactaMix EM 2400 Versions 1.10 and 1.11, and ExactaMix EM1200 Versions 1.1 and 1.2, should contact the service support team or regional product service support to upgrade to the ExactaMix Version 1.4 (EM1200) and ExactaMix Version 1.13 (EM2400) compounders. For all users, Baxter recommends the following compensating controls including, but not limited to: o Ensure appropriate physical controls within user's environments to protect against unauthorized access to devices. o Ensure ExactaMix Compounder passwords are kept confidential. Users should implement administrative controls to ensure they are not misused, mismanaged, or otherwise shared with unauthorized individuals. o The device should be used only in accordance with its intended use and not for email, Internet access, file sharing, or other non-approved use. No software of any kind should be installed on the device unless approved, in writing, by Baxter. o The ExactaMix Compounder should be segmented from the enterprise main network, and block all non-required communication via firewall and ACL configuration. o Users should follow standard guidance to ensure security patches are up to date across the network. o Users should follow proper backup and storage procedures to maintain the integrity of data utilized with the ExactaMix Compounder. Baxter separately provided an ExactaMix Cybersecurity Guide, instructing users on good cybersecurity practices relevant to the use of the ExactaMix product. The guide can be requested from productsecurity@baxter.com CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------- ICS Medical Advisory (ICSMA-20-170-02) Baxter PrismaFlex and PrisMax Original release date: June 18, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.6 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Baxter o Equipment: PrismaFlex and PrisMax o Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Authentication, Use of Hard-Coded Password 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow an attacker with network access to view and alter sensitive data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following models and versions of Baxter medical systems, are affected: o PrismaFlex all versions o PrisMax all versions prior to 3.x 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 The affected devices do not implement data-in-transit encryption (e.g., TLS/ SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device. CVE-2020-12036 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/ C:H/I:N/A:N ). 3.2.2 IMPROPER AUTHENTICATION CWE-287 The affected devices do not require authentication when configured to send treatment data to a PDMS or an EMR system. This could allow an attacker to modify treatment status information. CVE-2020-12035 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/ C:H/I:L/A:L ). 3.2.3 USE OF HARD-CODED PASSWORD CWE-259 The PrismaFlex device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configuration. This could allow an attacker to modify device settings and calibration. CVE-2020-12037 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:L/UI:N/S:U/ C:H/I:L/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Baxter reported these vulnerabilities to CISA. 4. MITIGATIONS For PrismaFlex, Baxter recommends users update to Version SW 8.2x or later. The hard-coded service password vulnerability has been remediated in PrismaFlex Versions SW 8.2 For PrisMax, Baxter recommends users upgrade to PrisMaxv3 with DCM (Digital Communication Module), which supports mutually authenticated TLS tunnel to a PDMS or EMR system capable of implementing the latest TLS 1.2. Additionally, Baxter recommends users of affected devices implement the following best practices: o Physical access to the device should be limited only to authorized users. o Personnel granted elevated privileges on all medical devices should not share credentials. o Ensure that medical device implementations and configurations employ cybersecurity defense-in-depth strategies such as: Network segmentation Firewalling each network segment, limiting inbound and outbound connections Scanning for unauthorized network access Scanning for vulnerabilities and viruses Baxter also recommends that if a PDMS or EMR system is used with the affected devices, users should verify compatibility between the two systems. Users should also identify, analyze, evaluate, and control all risks associated with integration of medical devices in an enterprise network. Subsequent changes to the enterprise network could introduce new risks and require new analysis. The use of a PDMS or EMR system not compatible with the PrismaFlex and PrisMax systems can result in the presentation of erroneous data. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Locate medical system networks and remote devices behind firewalls; isolate them from the business network. o Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA . CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------- ICS Medical Advisory (ICSMA-20-170-03) Baxter Phoenix Hemodialysis Delivery System Original release date: June 18, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Baxter o Equipment: Phoenix Hemodialysis Delivery System o Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with unauthorized network access to view sensitive data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of the Phoenix Hemodialysis Delivery System are affected: o Phoenix Hemodialysis Delivery System SW 3.36 and 3.40 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319 The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool. CVE-2020-12048 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Baxter reported this vulnerability to CISA. 4. MITIGATIONS Baxter recommends users apply the following implementation guidance: o Ensure medical device implementations and configurations employ cybersecurity defense-in-depth strategies such as: o Ensure proper network segmentation as outlined in the operating manual. Ensure Phoenix machines and Exalis Server PCs reside on a dedicated subnetwork (the machines and the Exalis servers must be the ONLY devices present within it). o In case of remote connection (WAN), keep the subnetwork dedicated by using a VPN network connection. o Firewall each network segment, limiting inbound and outbound connections. o Scan for unauthorized network access. o Scan for vulnerabilities and viruses. Users should also identify, analyze, evaluate, and control all risks associated with integration of medical devices in an enterprise network. Subsequent changes to the enterprise network could introduce new risks and require new analysis. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------- ICS Medical Advisory (ICSMA-20-170-04) Baxter Sigma Spectrum Infusion Pumps Original release date: June 18, 2020 Legal Notice All information products included in https://us-cert.gov/ics are provided"as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.6 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: Baxter o Equipment: Sigma Spectrum Infusion Pumps o Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Operation on a Resource After Expiration or Release 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in access to sensitive data, alteration of system configuration, and impact to system availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Sigma Spectrum Infusion systems, are affected: o Sigma Spectrum v6.x model 35700BAX o Baxter Spectrum v8.x model 35700BAX2 o Sigma Spectrum v6.x with Wireless Battery Modules v9, v11, v13, v14, v15, v16, v20D29, v20D30, v20D31, and v22D24 o Baxter Spectrum v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24 o Baxter Spectrum Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24 o Baxter Spectrum LVP v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF HARD-CODED PASSWORD CWE-259 Sigma Spectrum Infusion System Version(s) 6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) contain hard-coded passwords which, when physically entered on the keypad, provide access to biomedical menus that include device settings, view of calibration values, and network configuration of the Sigma Spectrum Wireless Battery Module (WBM) if installed. CVE-2020-12039 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319 Sigma Spectrum Infusion System Version(s) 6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the application layer uses an unauthenticated clear-text communication channel to send and receive system status and operational data. This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack. CVE-2020-12040 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 3.2.3 USE OF HARD-CODED PASSWORD CWE-259 The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when used in conjunction with a Baxter Spectrum v8.x (model 35700BAX2), operates a Telnet service on Port 1023 with hard-coded credentials. CVE-2020-12045 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:H ). 3.2.4 I NCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732 The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) telnet Command-Line Interface, grants access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM, and allows the WBM to be rebooted. Temporary configuration changes to network settings are removed upon reboot. CVE-2020-12041 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:H ). 3.2.5 USE OF HARD-CODED PASSWORD CWE-259 The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), when used with a Baxter Spectrum v8.x (model 35700BAX2) in a factory-default wireless configuration enables an FTP service with hard-coded credentials. CVE-2020-12047 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 3.2.6 OPERATION ON A RESOURCE AFTER EXPIRATION OR RELEASE CWE-672 The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP service operating on the WBM remains operational until the WBM is rebooted. CVE-2020-12043 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: United States o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Baxter Healthcare has reported these vulnerabilities to CISA. 4. MITIGATIONS Baxter recommends ensuring appropriate physical controls within user environments to protect against unauthorized access to devices. Baxter recommends isolating the Spectrum Infusion Systems to its own network VLAN to segregate the system from other hospital systems, and reduce the probability that a threat actor could execute an adjacent attack such as a MiTM attack against the system to observe clear-text communications. Baxter recommends using appropriate wireless network security protocols (WPA2, EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/ from the Spectrum Infusion System. Users should ensure the WBM is rebooted after configuration for their network (s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM. Users should always monitor for and/or block unexpected traffic, such as FTP, at network boundaries into the Spectrum-specific VLAN. As a last resort, users may disable wireless operation of the pump. The Spectrum Infusion System was designed to operate without network access. This action would impact an organization's ability to rapidly deploy drug library (formulary) updates to their pumps. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET. o Isolate the affected products from the Internet and all untrusted systems. o Follow good network hygiene to include appropriate network segmentation, utilizing DMZs and properly configured firewalls. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvAbB+NLKJtyKPYoAQgINxAAgx0F51zTLUHMYWHxI2t5iHWffZFNeHic 8Bxb3tCnhidL2lhPDogCjYdKAVXiVeRyAJJdksA+6o7BjW8DQXjlPergA0gat4Oq NGXSlUZJ3CEraVmFDJ7i3esIwDyOuyG/HrdXphpDhcCXCxeXhGlEVg63geTyVPUj u1ivP1BA0sjM3h/bNitXO/dvZxoLEbr4aJjjb5yEtfc7Wf8BiUA3UEoTL0vyfp7K rSIZf+on2fySjzxPmOhXQ9HllGrmZL4OTfx87ENYCEAp88elSAlK14Bo9cKUd9d7 PuU97u7nA5Xm7DflwPpczqIC/auvEJi6wrQPyL3JO1e34qKe8wY1wWWNxmRLb7+U /ROsNhmfd+XqW3Eaww9JeGKhFFzSPdDBcrD9e14LDOZTL5ADBtv6wB2uXegVlPMS cGu0aIw0+emBvY+GhLldr1/yEwWOAQz3zFYCBrrUQVJdbqzX30rAWKBKF3qcOaFY 4s5SXm0I2mWCAK7aGLCfLrLg53jR50aOJXK+be2PxfP5cw/U2Lq7/c17YbfibvjQ lCLYFd6AYm8yxS7S7igSv0GmWNkkwJV7NXdcSsuJqNA6byz4LDWs2b9KA5FJsPkM MZc0EtJ7ycl4gG44ti81CKFGuOf733czLFoSu9xyWwADetS5DXnM+crkaj/g2OtE qRbHg0m+wLQ= =18SW -----END PGP SIGNATURE-----