Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Threat Landscape
Vulnerabilities

HC3 issues sector alert on high-risk vulnerabilities in Baxter Welch Allyn medical equipment

June 06, 2024
HC3 issues sector alert on high-risk vulnerabilities in Baxter Welch Allyn medical equipment

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) published a sector alert addressing vulnerabilities in Baxter Welch Allyn equipment deployed sector-wide. The move follows two ICS (industrial control systems) medical advisories published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Baxter products, including the Baxter Welch Allyn Configuration Tool and Baxter Welch Allyn Connex Spot Monitor (CSM). Both vulnerabilities received a CVSS v4 score of 9 or higher, and are exploitable remotely. 

“Successful exploitation of one of these vulnerabilities could result in an impact and/or delay to patient care,” the HC3 said in its alert. “While a patch is currently available for one of these vulnerabilities, a software update will not be made available for the other until Q3 2024. Mitigations and workarounds from the vendor and CISA are outlined in this Sector Alert.”

HC3 also added that ‘exploitation of these vulnerabilities could lead to the unintended exposure of credentials to unauthorized users and/or allow an attacker to modify device configuration and firmware data. Tampering with this data could lead to device compromise, resulting in impact and/or delay in patient care.’

Baxter has said that any credentials that were used for authentication or input while using the Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately. Despite this risk, Baxter stated that it has not found any evidence to suggest the flaw has been exploited in the wild, and plans to release a new software update to address the flaw in the third quarter of this year. Also, no user action will be required once the update is released.

The first vulnerability is CWE-522 covering insufficiently protected credentials in the Baxter Welch Allyn Configuration Tool which may allow remote services with stolen credentials. The issue affects Welch Allyn Configuration Tool versions 1.9.4.1 and prior. The agency identified that the product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. 

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially vulnerable patterns that connect ‘sources’ (origins of input) with ‘sinks’ (destinations where the data interacts with external components, a lower layer such as the OS, etc.). 

The second vulnerability is the ‘CWE-1394’ which deals with the use of default cryptographic keys in which the product uses a default cryptographic key for potentially critical functionality. It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator’s task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations. 

HC3 said that the Baxter Welch Allyn Connex Spot Monitor may allow configuration/environment manipulation, which affects the Welch Allyn Connex Spot Monitor in all versions before 1.52.

Baxter recommends a couple of workarounds to help reduce risk, including applying proper network and physical security controls. The Welch Allyn Configuration Tool has been removed from public access. The vendor also called upon organizations to ensure a unique encryption key is configured and applied to the product in line with the Connex Spot Monitor Service Manual. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as reducing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet; and locating control system networks and remote devices behind firewalls, and isolate them from business networks. Also, when remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and be updated to the most current version available. Also, organizations must recognize that the VPN is only as secure as the connected devices. 

Last month, the HC3 published an analyst note detailing that a distributed-denial-of-service (DDoS) attack is a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of DDoS attacks increasing yearly, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack