CVE-2024-1275 - Vulnerability Details - OpenCVE

ReportizFlow

Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: Baxter

Published: 2024-05-31T17:23:19.207Z

Updated: 2024-08-01T18:33:25.355Z

Reserved: 2024-02-06T14:20:33.446Z

Link: CVE-2024-1275

Vulnrichment

Updated: 2024-08-01T18:33:25.355Z

NVD

Status : Awaiting Analysis

Published: 2024-05-31T18:15:10.140

Modified: 2024-11-21T08:50:12.913

Link: CVE-2024-1275

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1275", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "state": "PUBLISHED", "assignerShortName": "Baxter", "dateReserved": "2024-02-06T14:20:33.446Z", "datePublished": "2024-05-31T17:23:19.207Z", "dateUpdated": "2024-08-01T18:33:25.355Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Welch Allyn Connex Spot Monitor", "vendor": "Baxter", "versions": [{"lessThanOrEqual": "1.52", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter."}], "datePublic": "2024-05-30T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.<p>This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.</p>"}], "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52."}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.1, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1394", "description": "CWE-1394 Use of Default Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-06-05T14:42:55.386Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:</p><ul><li>Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)</li></ul><p>Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.baxter.com/product-security\">Baxter disclosure page</a> or the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.hillrom.com/en/responsible-disclosures/\">Hillrom disclosure page</a>.</p><p>Baxter recommends the following workarounds to help reduce risk:</p><ul><li>Apply proper network and physical security controls.</li><li>Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).</li></ul>"}], "value": "Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\n\n * Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\n\n\nBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page https://www.baxter.com/product-security \u00a0or the Hillrom disclosure page https://www.hillrom.com/en/responsible-disclosures/ .\n\nBaxter recommends the following workarounds to help reduce risk:\n\n * Apply proper network and physical security controls.\n * Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual)."}], "source": {"advisory": "ICSMA-24-151-02", "discovery": "UNKNOWN"}, "title": "Vulnerability in Baxter Welch Allyn Connex Spot Monitor", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "baxter", "product": "welch_allyn_connex_spot_monitor", "cpes": ["cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.52", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T14:39:19.332683Z", "id": "CVE-2024-1275", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T15:01:00.230Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.355Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:33:25.355Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-05T14:39:19.332683Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:baxter:welch_allyn_connex_spot_monitor:*:*:*:*:*:*:*:*"], "vendor": "baxter", "product": "welch_allyn_connex_spot_monitor", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.52"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T14:33:06.809Z"}}], "cna": {"title": "Vulnerability in Baxter Welch Allyn Connex Spot Monitor", "source": {"advisory": "ICSMA-24-151-02", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Maarten Boone and Edwin Van Andel (CTO of Zerocopter) reported this vulnerability to Baxter."}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Baxter", "product": "Welch Allyn Connex Spot Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.52"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:\n\n * Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)\n\n\nBaxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page https://www.baxter.com/product-security \u00a0or the Hillrom disclosure page https://www.hillrom.com/en/responsible-disclosures/ .\n\nBaxter recommends the following workarounds to help reduce risk:\n\n * Apply proper network and physical security controls.\n * Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).", "supportingMedia": [{"type": "text/html", "value": "<p>Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:</p><ul><li>Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)</li></ul><p>Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.baxter.com/product-security\">Baxter disclosure page</a> or the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.hillrom.com/en/responsible-disclosures/\">Hillrom disclosure page</a>.</p><p>Baxter recommends the following workarounds to help reduce risk:</p><ul><li>Apply proper network and physical security controls.</li><li>Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).</li></ul>", "base64": false}]}], "datePublic": "2024-05-30T17:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.", "supportingMedia": [{"type": "text/html", "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.<p>This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1394", "description": "CWE-1394 Use of Default Cryptographic Key"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-06-05T14:42:55.386Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1275", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:33:25.355Z", "dateReserved": "2024-02-06T14:20:33.446Z", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "datePublished": "2024-05-31T17:23:19.207Z", "assignerShortName": "Baxter"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52."}, {"lang": "es", "value": "El uso de la vulnerabilidad de clave criptogr\u00e1fica predeterminada en Baxter Welch Ally Connex Spot Monitor puede permitir la manipulaci\u00f3n de la configuraci\u00f3n/entorno. Este problema afecta a Welch Ally Connex Spot Monitor en todas las versiones anteriores a la 1.52."}], "id": "CVE-2024-1275", "lastModified": "2024-11-21T08:50:12.913", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-31T18:15:10.140", "references": [{"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1394"}], "source": "[email protected]", "type": "Secondary"}]}