cnvd - cnvd-2015-07336

CNVD-2015-07336

Vulnerability from cnvd - Published: 2015-11-09

Title

Baxter SIGMA Spectrum Infusion System本地安全绕过漏洞

Description

Baxter SIGMA Spectrum Infusion System是美国百特（Baxter）公司的一套智能输液系统。 Baxter SIGMA Spectrum Infusion System中存在本地安全绕过漏洞。本地攻击者可利用该漏洞绕过安全限制，执行未授权操作。

Severity

中

Patch Name

Baxter SIGMA Spectrum Infusion System本地安全绕过漏洞的补丁

Patch Description

Baxter SIGMA Spectrum Infusion System是美国百特（Baxter）公司的一套智能输液系统。 Baxter SIGMA Spectrum Infusion System中存在本地安全绕过漏洞。本地攻击者可利用该漏洞绕过安全限制，执行未授权操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.sigmapumps.com/

Reference

http://www.securityfocus.com/bid/76898

Impacted products

Name
Baxter SIGMA Spectrum Infusion System

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "76898"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-5431"
    }
  },
  "description": "Baxter SIGMA Spectrum Infusion System\u662f\u7f8e\u56fd\u767e\u7279\uff08Baxter\uff09\u516c\u53f8\u7684\u4e00\u5957\u667a\u80fd\u8f93\u6db2\u7cfb\u7edf\u3002\r\n\r\nBaxter SIGMA Spectrum Infusion System\u4e2d\u5b58\u5728\u672c\u5730\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "discovererName": "Jared Bird with Allina IS Security",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www.sigmapumps.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-07336",
  "openTime": "2015-11-09",
  "patchDescription": "Baxter SIGMA Spectrum Infusion System\u662f\u7f8e\u56fd\u767e\u7279\uff08Baxter\uff09\u516c\u53f8\u7684\u4e00\u5957\u667a\u80fd\u8f93\u6db2\u7cfb\u7edf\u3002\r\nBaxter SIGMA Spectrum Infusion System\u4e2d\u5b58\u5728\u672c\u5730\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Baxter SIGMA Spectrum Infusion System\u672c\u5730\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Baxter SIGMA Spectrum Infusion System"
  },
  "referenceLink": "http://www.securityfocus.com/bid/76898",
  "serverity": "\u4e2d",
  "submitTime": "2015-11-06",
  "title": "Baxter SIGMA Spectrum Infusion System\u672c\u5730\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2014-5431 (GCVE-0-2014-5431)

Vulnerability from cvelistv5 – Published: 2019-03-26 15:37 – Updated: 2024-08-06 11:41

Summary

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase. Baxter has released a new version of the SIGMA Spectrum Infusion System, version 8, which incorporates hardware and software changes.

Severity ?

No CVSS data available.

CWE

CWE-259 - Hard-coded password CWE-259

Assigner

icscert

References

URL

Tags

https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Baxter	SIGMA Spectrum Infusion System	Affected: 6.05 (model 35700BAX) with wireless battery module (WBM) version 16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.207Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SIGMA Spectrum Infusion System",
          "vendor": "Baxter",
          "versions": [
            {
              "status": "affected",
              "version": "6.05 (model 35700BAX) with wireless battery module (WBM) version 16"
            }
          ]
        }
      ],
      "datePublic": "2015-06-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase. Baxter has released a new version of the SIGMA Spectrum Infusion System, version 8, which incorporates hardware and software changes."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-259",
              "description": "Hard-coded password CWE-259",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-26T15:37:49",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5431",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SIGMA Spectrum Infusion System",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.05 (model 35700BAX) with wireless battery module (WBM) version 16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Baxter"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase. Baxter has released a new version of the SIGMA Spectrum Infusion System, version 8, which incorporates hardware and software changes."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Hard-coded password CWE-259"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5431",
    "datePublished": "2019-03-26T15:37:49",
    "dateReserved": "2014-08-22T00:00:00",
    "dateUpdated": "2024-08-06T11:41:49.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-07336

CVE-2014-5431 (GCVE-0-2014-5431)

Tags

Sightings

Nomenclature