MidnightBSD

Advisories for baxter

CVE-2014-5431 MEDIUM

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase. Baxter has released a new version of the SIGMA Spectrum Infusion System, version 8, which incorporates hardware and software changes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 6.05
CVE-2014-5432 HIGH

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter asserts that this vulnerability only allows access to features and functionality on the WBM and that the SIGMA Spectrum infusion pump cannot be controlled from the WBM. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-592,CWE-287,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 6.05
CVE-2014-5433 HIGH

An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16, which may allow an attacker to gain access the host network. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-312,CWE-255,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 6.05
CVE-2014-5434 MEDIUM

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 has a default account with hard-coded credentials used with the FTP protocol. Baxter asserts no files can be transferred to or from the WBM using this account. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 6.05
CVE-2020-12008 MEDIUM

Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems use cleartext messages to communicate order information with an order entry system. This could allow an attacker with network access to view sensitive data including PHI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.10
CVE-2020-12012 LOW

Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 0.9 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em2400_firmware 1.14
baxter em1200_firmware 1.5
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.13
baxter em1200_firmware 1.4
baxter em2400_firmware 1.10
CVE-2020-12016 HIGH

Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account credentials for the ExactaMix operating system. Successful exploitation of this vulnerability may allow an attacker who has gained unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration. This could allow an attacker with network access to view sensitive data including PHI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em2400_firmware 1.14
baxter em1200_firmware 1.5
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.13
baxter em1200_firmware 1.4
baxter em2400_firmware 1.10
CVE-2020-12020 LOW

Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 does not restrict non administrative users from gaining access to the operating system and editing the application startup script. Successful exploitation of this vulnerability may allow an attacker to alter the startup script as the limited-access user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-668,CWE-668,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.13
baxter em1200_firmware 1.4
baxter em2400_firmware 1.10
CVE-2020-12024 LOW

Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 0.9 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em2400_firmware 1.14
baxter em1200_firmware 1.5
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.13
baxter em1200_firmware 1.4
baxter em2400_firmware 1.10
CVE-2020-12032 MEDIUM

Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,CWE-312,

Products Affected

Vendor Product Version
baxter em2400_firmware 1.11
baxter em1200_firmware 1.1
baxter em1200_firmware 1.2
baxter em2400_firmware 1.10
CVE-2020-12035 LOW

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The PrismaFlex device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configuration. This could allow an attacker to modify device settings and calibration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L 0.7 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,CWE-798,

Products Affected

Vendor Product Version
baxter prismaflex_firmware *
baxter prismax_firmware *
CVE-2020-12036 MEDIUM

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
baxter prismaflex_firmware *
baxter prismax_firmware *
CVE-2020-12037 MEDIUM

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-259,CWE-319,

Products Affected

Vendor Product Version
baxter prismaflex_firmware *
baxter prismax_firmware *
CVE-2020-12039 LOW

Baxter Sigma Spectrum Infusion Pumps Sigma Spectrum Infusion System v's6.x model 35700BAX & Baxter Spectrum Infusion System v's8.x model 35700BAX2 contain hardcoded passwords when physically entered on the keypad provide access to biomedical menus including device settings, view calibration values, network configuration of Sigma Spectrum WBM if installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware *
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12040 MEDIUM

Sigma Spectrum Infusion System v's6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the application layer uses an unauthenticated clear-text communication channel to send and receive system status and operational data. This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware *
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12041 HIGH

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) telnet Command-Line Interface, grants access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM, and allows the WBM to be rebooted. Temporary configuration changes to network settings are removed upon reboot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H 3.9 5.5

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,CWE-732,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12043 HIGH

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP service operating on the WBM remains operational until the WBM is rebooted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-672,CWE-672,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12045 HIGH

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when used in conjunction with a Baxter Spectrum v8.x (model 35700BAX2), operates a Telnet service on Port 1023 with hard-coded credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12047 HIGH

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), when used with a Baxter Spectrum v8.x (model 35700BAX2) in a factory-default wireless configuration enables an FTP service with hard-coded credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
baxter sigma_spectrum_infusion_system_firmware 8.0
CVE-2020-12048 MEDIUM

Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
baxter phoenix_x36_firmware 3.40
baxter phoenix_x36_firmware 3.36
CVE-2021-43935 MEDIUM

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-288,CWE-287,

Products Affected

Vendor Product Version
baxter welch_allyn_hscribe_holter_analysis_system_firmware *
baxter welch_allyn_q-stress_cardiac_stress_testing_system_firmware *
baxter welch_allyn_xscribe_cardiac_stress_testing_system_firmware *
baxter welch_allyn_rscribe_resting_ecg_system *
baxter welch_allyn_diagnostic_cardiology_suite 2.1.0
baxter welch_allyn_connex_cardio *
baxter welch_allyn_vision_express_holter_analysis_system *
CVE-2022-26390

The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.2 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 0.5 3.6
productsecurity@baxter.com 4.2 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 0.5 3.6

Products Affected

Vendor Product Version
baxter sigma_spectrum_35700bax2_firmware -
baxter spectrum_wireless_battery_module_firmware 16d38
baxter spectrum_wireless_battery_module_firmware 17
baxter sigma_spectrum_35700bax_firmware -
baxter spectrum_wireless_battery_module_firmware *
baxter spectrum_wireless_battery_module_firmware 16
baxter spectrum_wireless_battery_module_firmware 17d19
baxter baxter_spectrum_iq_35700bax3_firmware -
CVE-2022-26392

The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@baxter.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
baxter sigma_spectrum_35700bax2_firmware -
baxter spectrum_wireless_battery_module_firmware 16d38
baxter spectrum_wireless_battery_module_firmware 17
baxter sigma_spectrum_35700bax_firmware -
baxter spectrum_wireless_battery_module_firmware *
baxter spectrum_wireless_battery_module_firmware 16
baxter spectrum_wireless_battery_module_firmware 17d19
baxter baxter_spectrum_iq_35700bax3_firmware -
CVE-2022-26393

The Baxter Spectrum WBM is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a Denial of Service (DoS) on the WBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@baxter.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.6 3.4
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

Products Affected

Vendor Product Version
baxter spectrum_wireless_battery_module_firmware 20d29
baxter sigma_spectrum_35700bax2_firmware -
baxter sigma_spectrum_35700bax_firmware -
baxter baxter_spectrum_iq_35700bax3_firmware -
CVE-2022-26394

The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
productsecurity@baxter.com 5.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.1 3.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 2.8 2.5

Products Affected

Vendor Product Version
baxter sigma_spectrum_35700bax2_firmware -
baxter spectrum_wireless_battery_module_firmware 16d38
baxter spectrum_wireless_battery_module_firmware 17
baxter sigma_spectrum_35700bax_firmware -
baxter spectrum_wireless_battery_module_firmware *
baxter spectrum_wireless_battery_module_firmware 16
baxter spectrum_wireless_battery_module_firmware 17d19
baxter baxter_spectrum_iq_35700bax3_firmware -