HC3 alerts hospitals of cybersecurity vulnerabilities in blood pressure monitor

The HHS Health Sector Cybersecurity Coordination Center (HC3) published a sector alert regarding two recently disclosed critical cybersecurity vulnerabilities in Baxter products that could result in credential exposure if exploited. The vulnerabilities affect the Baxter Welch Allyn Configuration Tool (versions 1.9.4.1 and prior) and the Baxter Welch Allyn Connex Spot Monitor (versions 1.52 and prior).

The configuration tool vulnerability (CVE-2024-5176) received a Common Vulnerability Scoring System (CVSS) score of 9.4, while the spot monitor vulnerability (CVE-2024-1275) received a CVSS score of 9.1.

The alert followed a Cybersecurity and Infrastructure Security Agency (CISA) industrial control systems (ICS) medical advisory on the subject, which alerted first the healthcare sector of the potential risks associated with these vulnerabilities.

Baxter disclosed the vulnerabilities to CISA and said that it has not found any evidence that either vulnerability has been exploited in the wild. However, both are exploitable remotely and could lead to the unintended exposure of credentials to unauthorized users. Additionally, exploitation of these vulnerabilities could allow an attacker to modify device configuration and firmware data.

“Successful exploitation of one of these vulnerabilities could result in an impact and/or delay to patient care,” HC3 noted.

The configuration tool vulnerability involves insufficiently protected credentials. In this case, the product transmits authentication credentials in an insecure way that makes it susceptible to unauthorized interception.

The vulnerability in the spot monitor involves the use of a default cryptographic key.

“It is common practice for products to be designed to use default keys,” HC3 stated. “The rationale is to simplify the manufacturing process or the system administrator’s task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.”

Baxter released a software update for the spot monitor and recommended that all users upgrade to the latest versions of their products. Baxter also recommends applying proper network and physical security controls and ensuring that a unique encryption key is configured to the product to further reduce risk.

Baxter said it expects to release a software update pertaining to the configuration tool vulnerability in Q3 2024, and no user action will be required with the update. In the meantime, the configuration tool has been removed from public access, and customers should contact their Baxter project manager to create configuration files as needed.

In general, CISA advises organizations to minimize network exposure for control system devices by ensuring that they are inaccessible from the internet. If remote access is required, organizations should use virtual private networks to enhance security.