Instructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual.īaxter provides recommended steps for erasing all data and settings on the pump to be decommissioned:
#Spectrum f secure software
Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394). MITIGATIONSĪccording to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. COMPANY HEADQUARTERS LOCATION: United Statesĭeral Heiland, Principal IoT Researcher at Rapid 7, reported these vulnerabilities to Baxter.COUNTRIES/AREAS DEPLOYED: United States, Canada, Puerto Rico, Caribbean.CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health.
#Spectrum f secure update
End Update A part 3 of 3 - 4.3 BACKGROUND A CVSS v3 base score of 7.5 has been calculated the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L).
Alternatively, an attacker could spoof the server host and send specifically crafted data.ĬVE-2022-26394 has been assigned to this vulnerability. This could allow an attacker to perform a machine-in-the-middle attack that modifies parameters, making the network connection fail. The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) does not perform mutual authentication with the gateway server host. 4.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 A CVSS v3 base score of 5.0 has been calculated the CVSS vector string is ( AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L). An attacker could use this to read memory in the WBM to access sensitive information or cause a denial-of-service condition on the WBM.ĬVE-2022-26393 has been assigned to this vulnerability. The Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. 4.2.3 USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134 A CVSS v3 base score of 3.1 has been calculated the CVSS vector string is ( AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). An attacker could use this to read memory in the WBM to access sensitive information.ĬVE-2022-26392 has been assigned to this vulnerability. The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32), when in superuser mode, are susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM, potentially accessing sensitive information. The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. 4.2.2 USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134 A CVSS v3 base score of 4.2 has been calculated the CVSS vector string is ( AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information.ĬVE-2022-26390 has been assigned to this vulnerability.
PHI is only stored in Spectrum IQ pumps using auto programming. The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28) stores network credentials and patient health information (PHI) in unencrypted form.
0 kommentar(er)
