Successful exploitation of CVE-2024-1275 could lead to data compromise, resulting in impact and/or delay in patient care

Threat ID:CC-4506

Threat Severity:Low

Published:31 May 2024 4:14 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 1.52 and earlier

Baxter Welch Allyn Connex Spot Monitor

Threat details

Introduction

Baxter has released a security update to address a vulnerability based on the use of default cryptographic keys, which affects the Baxter (formerly manufactured by Hillrom) Welch Allyn medical device Connex Spot Monitor (CSM). This vulnerability has a CVSSv3 score of 7.4. CSM allows clinicians to spot-check a patient's respiration rate, acquiring readings to help reduce transcription errors, and detect signs of deterioration.

If exploited, an attacker could modify device configurations and firmware data, resulting in impact and/or delay to patient care.

Remediation advice

Affected organisations are encouraged to review US Cybersecurity and Infrastructure Security Agency (CISA)'s advisory ICSMA-24-151-02 and apply the following update from Baxter.

Welch Allyn Connex Spot Monitor: Version 1.5.2.01 (available October 16, 2023)

Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page or the Hillrom disclosure page.

Baxter recommends the following workarounds to help reduce risk:

Apply proper network and physical security controls.

Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).

Definitive source of threat updates

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02

https://www.baxter.com/product-security

CVE Vulnerabilities

StatusReserved

CVE-2024-1275

Last edited: 31 May 2024 4:15 pm