DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:7D56D3C5E62FC42BA4A93F9D77117CCA", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "New Vulnerabilities Reported in Baxter's Internet-Connected Infusion Pumps", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgKK_E43MrCfjbQwcOmnyL8d3Gp1iIglUy_yYtGKGLw8USS-Ka5gNG25H29lTUMPGKdV1SbnsI83P_kFdHes3WafFMdPxqljmEMkmdlhNUJHGyXnI-Ee7Dr2miRbIJjoy6f85TR0lUseHhbvfmKIZm-iAB-SI9ENCySo9EGAxfzYY3n6pvnBS4seNPI/s728-e100/Infusion-pump.jpg>)\n\nMultiple security vulnerabilities have been disclosed in Baxter's internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients.\n\n\"Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>) in a coordinated advisory.\n\nInfusion pumps are internet-enabled devices used by hospitals to deliver medication and nutrition directly into a patient's circulatory system.\n\nThe four vulnerabilities in question, discovered by [cybersecurity firm Rapid7](<https://www.rapid7.com/blog/post/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/>) and reported to Baxter in April 2022, affect the following Sigma Spectrum Infusion systems -\n\n * Sigma Spectrum v6.x model 35700BAX\n * Sigma Spectrum v8.x model 35700BAX2\n * Baxter Spectrum IQ (v9.x) model 35700BAX3\n * Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28\n\nThe list of flaws uncovered is below -\n\n * **CVE-2022-26390** (CVSS score: 4.2) - Storage of network credentials and patient health information (PHI) in unencrypted format\n * **CVE-2022-26392** (CVSS score: 2.1) - A [format string vulnerability](<https://owasp.org/www-community/attacks/Format_string_attack>) when running a [Telnet](<https://en.wikipedia.org/wiki/Telnet>) session\n * **CVE-2022-26393** (CVSS score: 5.0) - A format string vulnerability when processing Wi-Fi SSID information, and\n * **CVE-2022-26394** (CVSS score: 5.5) - Missing mutual authentication with the gateway server host\n\nSuccessful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.\n\nThe vulnerabilities could further result in a \"loss of critical Wi-Fi password data, which could lead to greater network access should the network not be properly segmented,\" Deral Heiland, principal security researcher for IoT at Rapid7, told The Hacker News.\n\nBaxter, in an advisory, emphasized that the issues only affect customers who use the wireless capabilities of the Spectrum Infusion System, but also cautioned it could lead to a delay or interruption of therapy should the flaws be weaponized.\n\n\"If exploited, the vulnerabilities could result in disruption of [Wireless Battery Module] operation, disconnection of the WBM from the wireless network, alteration of the WBM's configuration, or exposure of data stored on the WBM,\" the company [said](<https://www.baxter.com/sites/g/files/ebysai3896/files/2022-09/ICSMA-22-251-01.pdf>).\n\nThe latest findings are yet another indication of how common software vulnerabilities continue to plague the medical industry, a concerning development given their potential implications affecting patient care.\n\nThat said, this is not the first time security flaws in infusion pumps have come under the scanner. Earlier this March, Palo Alto Networks Unit 42 [disclosed](<https://thehackernews.com/2022/03/report-nearly-75-of-infusion-pumps.html>) that an overwhelming majority of infusion pumps were exposed to nearly 40 known vulnerabilities, highlighting the need to secure healthcare systems from security threats.\n\nBaxter is recommending customers to ensure that all data and settings are erased from decommissioned pumps, place infusion systems behind a firewall, enforce network segmentation, and use strong wireless network security protocols to prevent unauthorized access.\n\nIt's crucial to \"implement processes and procedures to manage the de-acquisition of medical technology, [and] to assure that PII and/or configuration data such as Wi-Fi, WPA, PSK, etc., are purged from the devices prior to resale or transfer to another party,\" Heiland said.\n\n\"Maintain strong physical security within and around medical areas containing MedTech devices, as well as areas with access to a biomed network. Implement network segmentation for all biomed networks to prevent other general or business networks from communicating with MedTech devices.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-09-08T17:55:00", "modified": "2022-09-08T17:55:48", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://thehackernews.com/2022/09/new-vulnerabilities-reported-in-baxters.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394"], "immutableFields": [], "lastseen": "2022-09-08T19:08:44", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "ics", "idList": ["ICSMA-22-251-01"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:4D69504143872C1DF22DEB73BA90A6BD"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-26390", "epss": "0.000520000", "percentile": "0.185060000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26392", "epss": "0.000490000", "percentile": "0.152580000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26393", "epss": "0.000480000", "percentile": "0.150570000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26394", "epss": "0.000440000", "percentile": "0.084270000", "modified": "2023-03-19"}], "vulnersScore": 0.1}, "_state": {"dependencies": 1662664735, "score": 1684015195, "epss": 1679305109}, "_internal": {"score_hash": "5f181665ce07e33f80af9808341e072b"}}

{"ics": [{"lastseen": "2023-06-05T15:14:33", "description": "## 1\\. EXECUTIVE SUMMARY\n\n**\\--------- Begin Update A part 1 of 3 ---------**\n\n * **CVSS v3 7.5**\n\n**\\--------- End Update A part 1 of 3 ---------**\n\n * **ATTENTION:** Exploitable remotely\n * **Vendor:** Baxter\n * **Equipment:** Sigma and Baxter Spectrum Infusion Pumps\n * **Vulnerabilities:** Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the advisory update titled ICSA-21-251-01 Baxter Sigma Spectrum Infusion Pump that was published September 8, 2022, to the ICS webpage on www.cisa.gov/uscert\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of Sigma Spectrum Infusion systems are affected:\n\n * Sigma Spectrum v6.x model 35700BAX\n * Sigma Spectrum v8.x model 35700BAX2\n * Baxter Spectrum IQ (v9.x) model 35700BAX3\n * Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [MISSING ENCRYPTION OF SENSITIVE DATA CWE-311](<https://cwe.mitre.org/data/definitions/311.html>)\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28) stores network credentials and patient health information (PHI) in unencrypted form. PHI is only stored in Spectrum IQ pumps using auto programming. An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information.\n\n[CVE-2022-26390](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26390>) has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is ([AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 4.2.2 [ USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134](<https://cwe.mitre.org/data/definitions/134.html>)\n\n**\\--------- Begin Update A part 2 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM, potentially accessing sensitive information.\n\n**\\--------- End Update A part 2 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32), when in superuser mode, are susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.\n\n[CVE-2022-26392](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26392>) has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N>)).\n\n#### 4.2.3 [USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134](<https://cwe.mitre.org/data/definitions/134.html>)\n\nThe Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a denial-of-service condition on the WBM.\n\n[CVE-2022-26393](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26393>) has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.4 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\n**\\--------- Begin Update A part 3 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) does not perform mutual authentication with the gateway server host. This could allow an attacker to perform a machine-in-the-middle attack that modifies parameters, making the network connection fail. Alternatively, an attacker could spoof the server host and send specifically crafted data.\n\n[CVE-2022-26394](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26394>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L>)).\n\n**\\--------- End Update A part 3 of 3 ---------**\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED:** United States, Canada, Puerto Rico, Caribbean\n * **COMPANY HEADQUARTERS LOCATION:** United States\n\n### 4.4 RESEARCHER\n\nDeral Heiland, Principal IoT Researcher at Rapid 7, reported these vulnerabilities to Baxter.\n\n## 5\\. MITIGATIONS\n\nAccording to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394).\n\nInstructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator\u2019s Manual.\n\nBaxter provides recommended steps for erasing all data and settings on the pump to be decommissioned:\n\n * Reset the network settings (Biomed-&gt;Network Configuration-&gt;Transfer Network Settings-&gt;Reset).\n * Delete the drug library.\n * Clear the history log.\n\nTo erase all data and settings on the WBM to be decommissioned:\n\n * Select a pump other than the one last used with the WBM.\n * Reset the network settings and enable networking on the pump.\n * Place the WBM on the pump.\n * Wait until the network icon turns yellow.\n\nIn conjunction with the user\u2019s own network security policies, Baxter recommends the following mitigations to reduce the likelihood these vulnerabilities will be exploited:\n\n * Ensure appropriate physical controls within user environments to protect against unauthorized access to devices.\n * Isolate the Spectrum Infusion Systems to its own network virtual local area network (VLAN) to segregate the system from other hospital systems and reduce the probability that a threat actor could execute an adjacent attack, such as a machine-in-the-middle attack against the system to observe clear-text communications.\n * Use the strongest available wireless network security protocols (WPA2, EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System. \n * Users should ensure the WBM is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM. \n * Users should always monitor for and/or block unexpected traffic, such as FTP and Telnet, at network boundaries into the Spectrum-specific VLAN.\n\nAs a last resort, users may disable wireless operation of the pump; the Spectrum Infusion System was designed to operate without network access. This action would impact an organization\u2019s ability to rapidly deploy drug library (formulary) updates to their pumps.\n\nFor additional information, see the [Baxter Product Security Bulletin](<https://www.baxter.com/product-security#additionalresources>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/Recommended-Practices>) on the ICS webpage at [cisa.gov/ics](<https://cisa.gov/ics>). Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with [Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS webpage at [cisa.gov/ics](<https://cisa.gov/ics>) in the technical information paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. These vulnerabilities have a high attack complexity.\n\n### Vendor\n\nBaxter\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-29T12:00:00", "type": "ics", "title": "Baxter Sigma Spectrum Infusion Pump (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394"], "modified": "2022-09-29T12:00:00", "id": "ICSMA-22-251-01", "href": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-251-01", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"}}], "rapid7blog": [{"lastseen": "2022-09-15T18:03:53", "description": "\n\nRapid7, Inc. (Rapid7) discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are:\n\n * SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01)\n * SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)\n\nRapid7 initially reported these issues to Baxter on April 20, 2022. Since then, members of our research team have worked alongside the vendor to discuss the impact, resolution, and a coordinated response for these vulnerabilities.\n\n## Product description\n\nBaxter\u2019s SIGMA Spectrum product is a commonly used brand of infusion pumps, which are typically used by hospitals to deliver medication and nutrition directly into a patient\u2019s circulatory system. These TCP/IP-enabled devices deliver data to healthcare providers to enable more effective, coordinated care.\n\n## Credit\n\nThe vulnerabilities in two TCP/IP-enabled medical devices were discovered by Deral Heiland, Principal IoT Researcher at Rapid7. They are being disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>) after coordination with the vendor.\n\n## Vendor statement\n\n\"In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process. Software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions. Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator\u2019s Manual and are available in the [Baxter Security Bulletin](<https://www.baxter.com/product-security#additionalresources>).\"\n\n## Exploitation and remediation\n\nThis section details the potential for exploitation and our remediation guidance for the issues discovered and reported by Rapid7, so that defenders of this technology can gauge the impact of, and mitigations around, these issues appropriately.\n\n## Battery units store Wi-Fi credentials (CVE-2022-26390)\n\nRapid7 researchers tested Spectrum battery units for vulnerabilities. We found all units that were tested store Wi-Fi credential data in non-volatile memory on the device.\n\nWhen a Wi-Fi battery unit is connected to the primary infusion pump and the infusion pump is powered up, the pump will transfer the Wi-Fi credential to the battery unit.\n\n### Exploitation\n\nAn attacker with physical access to an infusion pump could install a Wi-Fi battery unit (easily purchased on eBay), and then quickly power-cycle the infusion pump and remove the Wi-Fi battery \u2013 allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse-engineered.\n\nAlso, since these battery units store Wi-Fi credentials in non-volatile memory, there is a risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical Wi-Fi credentials of the organization that de-acquisitioned the devices.\n\n### Remediation\n\nTo mitigate this vulnerability, organizations should restrict physical access by any unauthorized personnel to the infusion pumps or associated Wi-Fi battery units.\n\nIn addition, before de-acquisitioning the battery units, batteries should be plugged into a unit with invalid or blank Wi-Fi credentials configured and the unit powered up. This will overwrite the Wi-Fi credentials stored in the non-volatile memory of the batteries. Wi-Fi must be enabled on the infusion pump unit for this overwrite to work properly.\n\n## Format string vulnerabilities\n\n### \u201cHostmessage\u201d (CVE-2022-26392)\n\nWhen running a telnet session on the Baxter Sigma Wi-Fi Battery Firmware Version 16, the command \u201chostmessage\u201d is vulnerable to format string vulnerability. \n\n**Exploitation**\n\nAn attacker could trigger this format string vulnerability by entering the following command during a telnet session:\n\n\n\nTo view the output of this format string vulnerability, `_settrace state=on` _must be enabled in the telnet session. _`set trace`_ does not need to be enabled for the format string vulnerability to be triggered, but it does need to be enabled if the output of the vulnerability is to be viewed.\n\nOnce _`set trace`_ is enabled and showing output within the telnet session screen, the output of the vulnerability can be viewed, as shown below, where each _`%x`_ returned data from the device\u2019s process stack.\n\n\n\n### SSID (CVE-2022-26393)\n\nRapid7 also found another format string vulnerability on Wi-Fi battery software version 20 D29. This vulnerability is triggered within SSID processing by the _`get_wifi_location (20)`_ command being sent via XML to the Wi-Fi battery at TCP port 51243 or UDP port 51243.\n\n\n\n**Exploitation**\n\nThis format string vulnerability can be triggered by first setting up a Wi-Fi access point containing format string specifiers in the SSID. Next, an attacker could send a _`get_wifi_location (20)`_ command via TCP Port 51243 or UDP port 51243 to the infusion pump. This causes the device to process the SSID name of the access point nearby and trigger the exploit. The results of the triggering of format strings can be viewed with trace log output within a telnet session as shown below.\n\n\n\nThe SSID of _`AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x`_ allows for control of 4 bytes on the stack, as shown above, using the _`%x`_ to walk the stack until it reaches 41414141. By changing the leading _`AAAA`_ in the SSID, a malicious actor could potentially use the format string injection to read and write arbitrary memory. At a minimum, using format strings of _`%s`_ and _`%n`_ could allow for a denial of service (DoS) by triggering an illegal memory read (_`%s`_) and/or illegal memory write (_`%n`_).\n\nNote that in order to trigger this DoS effect, the attacker would need to be within normal radio range and either be on the device's network or wait for an authorized _`get_wifi_location`_ command (the latter would itself be a usual, non-default event).\n\n**Remediation**\n\nTo prevent exploitation, organizations should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to infusion pumps. In addition, be sure to monitor Wi-Fi space for rogue access points containing format string specifiers within the SSID name.\n\n## Unauthenticated network reconfiguration via TCP/UDP (CVE-2022-26394)\n\nAll Wi-Fi battery units tested (versions 16, 17, and 20 D29) allowed for remote unauthenticated changing of the SIGMA GW IP address. The SIGMA GW setting is used for configuring the back-end communication services for the devices operation.\n\n### Exploitation\n\nAn attacker could accomplish a remote redirect of SIGMA GW by sending an XML command 15 to TCP or UDP port 51243. During testing, only the SIGMA GW IP was found to be remotely changeable using this command. An example of this command and associated structure is shown below:\n\n\n\nThis could be used by a malicious actor to man-in-the-middle (MitM) all the communication initiated by the infusion pump. This could lead to information leakage and/or data being manipulated by a malicious actor.\n\n### Remediation\n\nOrganizations using SIGMA Spectrum products should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to the infusion pumps.\n\n## UART configuration access to Wi-Fi configuration data (additional finding)\n\nThe SIGMA Spectrum infusion pump unit transmits data unencrypted to the Wi-Fi battery unit via universal asynchronous receiver-transmitter (UART). During the power-up cycle of the infusion pump, the first block of data contains the Wi-Fi configuration data. This communication contains the SSID and 64-Character hex PSK.\n\n\n\n### Exploitation\n\nA malicious actor with **physical access** to an infusion pump can place a communication shim between the units (i.e., the pump and the Wi-Fi battery) and capture this data during the power-up cycle of the unit.\n\n\n\n### Remediation \n\n\nTo help prevent exploitation, organizations should restrict physical access by unauthorized persons to the infusion pumps and associated Wi-Fi battery units.\n\nNote that this is merely an additional finding based on physical, hands-on access to the device. While Baxter has addressed this finding through better decommissioning advice to end users, this particular issue does not rank for its own CVE identifier, as local encryption is beyond the scope of the hardware design of the device.\n\n## Disclosure timeline\n\nBaxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While medtech vulnerabilities can be tricky and expensive to work through, we're quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter's product security teams.\n\n * **April, 2022:** Issues discovered by [Deral Heiland](<https://twitter.com/Percent_X>) of Rapid7\n * **Wed, April 20, 2022:** Issues reported to [Baxter product security](<https://www.baxter.com/product-security#disclosure>)\n * **Wed, May 11, 2022: **Update requested from Baxter\n * **Wed, Jun 1, 2022:** Teleconference with Baxter and Rapid7 presenting findings\n * **Jun-Jul 2022: **Several follow up conversations and updates between Baxter and Rapid7\n * **Tue, Aug 2, 2022:** Coordination tracking over [VINCE](<https://www.kb.cert.org/vince/>) and more teleconferencing involving Baxter, Rapid7, CERT/CC, and [ICS-CERT](<https://www.cisa.gov/uscert/ics/advisories>) (VU#142423)\n * **Wed, Aug 31, 2022: **Final review of findings and mitigations\n * **Thu Sep 8, 2022:** Baxter advisory [published](<https://www.baxter.com/product-security#additionalresources>)\n * **Thu, Sep 8, 2022:** Public disclosure of these issues\n * **Thu, Sep 8, 2022:** ICS-CERT [advisory published](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software](<https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/>)_\n * _[CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>)_\n * _[QNAP Poisoned XML Command Injection (Silently Patched)](<https://www.rapid7.com/blog/post/2022/08/04/qnap-poisoned-xml-command-injection-silently-patched/>)_\n * _[Primary Arms PII Disclosure via IDOR (FIXED)](<https://www.rapid7.com/blog/post/2022/08/02/primary-arms-pii-disclosure-via-idor/>)_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-08T16:30:00", "type": "rapid7blog", "title": "Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394", "CVE-2022-31660", "CVE-2022-31661"], "modified": "2022-09-08T16:30:00", "id": "RAPID7BLOG:4D69504143872C1DF22DEB73BA90A6BD", "href": "https://blog.rapid7.com/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26394", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.8, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26394"], "modified": "2022-09-16T16:47:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26394", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26394", "cvss": {"score": 4.8, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:14", "description": "The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.", "cvss3": {"exploitabilityScore": 0.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 4.2, "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26390", "cwe": ["CWE-311"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26390"], "modified": "2022-09-15T16:46:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:22d28", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26390", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26390", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:22d28:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a Denial of Service (DoS) on the WBM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26393", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26393"], "modified": "2022-09-15T15:50:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d29", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-"], "id": "CVE-2022-26393", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26393", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d29:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26392", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26392"], "modified": "2022-09-15T16:45:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26392", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26392", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*"]}]}