Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Welch Allyn Connex Spot Monitor by Baxter

    CVE-2024-1275 (GCVE-0-2024-1275)

    Vulnerability from nvd – Published: 2024-05-31 17:23 – Updated: 2024-08-01 18:33
    VLAI
    Title
    Vulnerability in Baxter Welch Allyn Connex Spot Monitor
    Summary
    Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1394 - Use of Default Cryptographic Key
    Assigner
    Impacted products
    Vendor Product Version
    Baxter Welch Allyn Connex Spot Monitor Affected: 0 , ≤ 1.52 (custom)
    Create a notification for this product.
    baxter welch_allyn_connex_spot_monitor Affected: 0 , ≤ 1.52 (custom)
        cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-30 17:00
    Credits
    Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "welch_allyn_connex_spot_monitor",
                "vendor": "baxter",
                "versions": [
                  {
                    "lessThanOrEqual": "1.52",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1275",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T14:39:19.332683Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T15:01:00.230Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.355Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Welch Allyn Connex Spot Monitor",
              "vendor": "Baxter",
              "versions": [
                {
                  "lessThanOrEqual": "1.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter."
            }
          ],
          "datePublic": "2024-05-30T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.\u003cp\u003eThis issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.\u003c/p\u003e"
                }
              ],
              "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-176",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-176 Configuration/Environment Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1394",
                  "description": "CWE-1394 Use of Default Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-05T14:42:55.386Z",
            "orgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
            "shortName": "Baxter"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eBaxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWelch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.baxter.com/product-security\"\u003eBaxter disclosure page\u003c/a\u003e\u0026nbsp;or the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.hillrom.com/en/responsible-disclosures/\"\u003eHillrom disclosure page\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eBaxter recommends the following workarounds to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eApply proper network and physical security controls.\u003c/li\u003e\u003cli\u003eEnsure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\n\n  *  Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\n\n\nBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the  Baxter disclosure page https://www.baxter.com/product-security \u00a0or the  Hillrom disclosure page https://www.hillrom.com/en/responsible-disclosures/ .\n\nBaxter recommends the following workarounds to help reduce risk:\n\n  *  Apply proper network and physical security controls.\n  *  Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual)."
            }
          ],
          "source": {
            "advisory": "ICSMA-24-151-02",
            "discovery": "UNKNOWN"
          },
          "title": "Vulnerability in Baxter Welch Allyn Connex Spot Monitor",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
        "assignerShortName": "Baxter",
        "cveId": "CVE-2024-1275",
        "datePublished": "2024-05-31T17:23:19.207Z",
        "dateReserved": "2024-02-06T14:20:33.446Z",
        "dateUpdated": "2024-08-01T18:33:25.355Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1275 (GCVE-0-2024-1275)

    Vulnerability from cvelistv5 – Published: 2024-05-31 17:23 – Updated: 2024-08-01 18:33
    VLAI
    Title
    Vulnerability in Baxter Welch Allyn Connex Spot Monitor
    Summary
    Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1394 - Use of Default Cryptographic Key
    Assigner
    Impacted products
    Vendor Product Version
    Baxter Welch Allyn Connex Spot Monitor Affected: 0 , ≤ 1.52 (custom)
    Create a notification for this product.
    baxter welch_allyn_connex_spot_monitor Affected: 0 , ≤ 1.52 (custom)
        cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-30 17:00
    Credits
    Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "welch_allyn_connex_spot_monitor",
                "vendor": "baxter",
                "versions": [
                  {
                    "lessThanOrEqual": "1.52",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1275",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T14:39:19.332683Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T15:01:00.230Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.355Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Welch Allyn Connex Spot Monitor",
              "vendor": "Baxter",
              "versions": [
                {
                  "lessThanOrEqual": "1.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter."
            }
          ],
          "datePublic": "2024-05-30T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.\u003cp\u003eThis issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.\u003c/p\u003e"
                }
              ],
              "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-176",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-176 Configuration/Environment Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1394",
                  "description": "CWE-1394 Use of Default Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-05T14:42:55.386Z",
            "orgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
            "shortName": "Baxter"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eBaxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWelch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.baxter.com/product-security\"\u003eBaxter disclosure page\u003c/a\u003e\u0026nbsp;or the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.hillrom.com/en/responsible-disclosures/\"\u003eHillrom disclosure page\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eBaxter recommends the following workarounds to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eApply proper network and physical security controls.\u003c/li\u003e\u003cli\u003eEnsure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\n\n  *  Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\n\n\nBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the  Baxter disclosure page https://www.baxter.com/product-security \u00a0or the  Hillrom disclosure page https://www.hillrom.com/en/responsible-disclosures/ .\n\nBaxter recommends the following workarounds to help reduce risk:\n\n  *  Apply proper network and physical security controls.\n  *  Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual)."
            }
          ],
          "source": {
            "advisory": "ICSMA-24-151-02",
            "discovery": "UNKNOWN"
          },
          "title": "Vulnerability in Baxter Welch Allyn Connex Spot Monitor",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
        "assignerShortName": "Baxter",
        "cveId": "CVE-2024-1275",
        "datePublished": "2024-05-31T17:23:19.207Z",
        "dateReserved": "2024-02-06T14:20:33.446Z",
        "dateUpdated": "2024-08-01T18:33:25.355Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }