cnvd - cnvd-2021-21074

cnvd-2021-21074

Vulnerability from cnvd

Title: Baxter ExactaMix EM2400和ExactaMix EM1200信任管理问题漏洞（CNVD-2021-21074）

Description:

Baxter ExactaMix EM2400和ExactaMix EM1200都是美国百特（Baxter）公司的一套自动化药物混料系统。

Baxter ExactaMix EM2400和ExactaMix EM1200中存在信任管理问题漏洞，该漏洞源于ExactaMix应用程序使用了硬编码的管理账户凭证，攻击者可利用该漏洞未授权查看、更新系统配置或数据，泄露敏感信息（包括PHI）。

Severity: 中

Patch Name: Baxter ExactaMix EM2400和ExactaMix EM1200信任管理问题漏洞（CNVD-2021-21074）的补丁

Patch Description:

Baxter ExactaMix EM2400和ExactaMix EM1200都是美国百特（Baxter）公司的一套自动化药物混料系统。

Baxter ExactaMix EM2400和ExactaMix EM1200中存在信任管理问题漏洞，该漏洞源于ExactaMix应用程序使用了硬编码的管理账户凭证，攻击者可利用该漏洞未授权查看、更新系统配置或数据，泄露敏感信息（包括PHI）。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.baxter.com/

Reference: https://www.us-cert.gov/ics/advisories/icsma-20-170-01

Impacted products

Name
['Baxter ExactaMix EM1200 1.1', 'Baxter ExactaMix EM1200 1.2', 'Baxter ExactaMix EM1200 1.4', 'Baxter ExactaMix EM 2400 1.10', 'Baxter ExactaMix EM 2400 1.11', 'Baxter ExactaMix EM 2400 1.13']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-12012"
    }
  },
  "description": "Baxter ExactaMix EM2400\u548cExactaMix EM1200\u90fd\u662f\u7f8e\u56fd\u767e\u7279\uff08Baxter\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u836f\u7269\u6df7\u6599\u7cfb\u7edf\u3002\n\nBaxter ExactaMix EM2400\u548cExactaMix EM1200\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eExactaMix\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u7684\u7ba1\u7406\u8d26\u6237\u51ed\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u67e5\u770b\u3001\u66f4\u65b0\u7cfb\u7edf\u914d\u7f6e\u6216\u6570\u636e\uff0c\u6cc4\u9732\u654f\u611f\u4fe1\u606f\uff08\u5305\u62ecPHI\uff09\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.baxter.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-21074",
  "openTime": "2021-03-23",
  "patchDescription": "Baxter ExactaMix EM2400\u548cExactaMix EM1200\u90fd\u662f\u7f8e\u56fd\u767e\u7279\uff08Baxter\uff09\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u836f\u7269\u6df7\u6599\u7cfb\u7edf\u3002\r\n\r\nBaxter ExactaMix EM2400\u548cExactaMix EM1200\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eExactaMix\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u7684\u7ba1\u7406\u8d26\u6237\u51ed\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u67e5\u770b\u3001\u66f4\u65b0\u7cfb\u7edf\u914d\u7f6e\u6216\u6570\u636e\uff0c\u6cc4\u9732\u654f\u611f\u4fe1\u606f\uff08\u5305\u62ecPHI\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Baxter ExactaMix EM2400\u548cExactaMix EM1200\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-21074\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Baxter ExactaMix EM1200 1.1",
      "Baxter ExactaMix EM1200 1.2",
      "Baxter ExactaMix EM1200 1.4",
      "Baxter ExactaMix EM 2400 1.10",
      "Baxter ExactaMix EM 2400 1.11",
      "Baxter ExactaMix EM 2400 1.13"
    ]
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-19",
  "title": "Baxter ExactaMix EM2400\u548cExactaMix EM1200\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-21074\uff09"
}

CVE-2020-12012 (GCVE-0-2020-12012)

Vulnerability from cvelistv5

Published

2020-06-29 13:54

Modified

2024-08-04 11:48

Severity ?

CWE

CWE-259 - USE OF HARD-CODED PASSWORD

Summary

Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.

References

▼	URL	Tags
	https://www.us-cert.gov/ics/advisories/icsma-20-170-01	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Baxter ExactaMix EM 2400 & EM 1200	Version: ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.903Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Baxter ExactaMix EM 2400 \u0026 EM 1200",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Baxter ExactaMix EM 2400 \u0026 EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-259",
              "description": "USE OF HARD-CODED PASSWORD CWE-259",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-29T13:54:53",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12012",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Baxter ExactaMix EM 2400 \u0026 EM 1200",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Baxter ExactaMix EM 2400 \u0026 EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE OF HARD-CODED PASSWORD CWE-259"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-12012",
    "datePublished": "2020-06-29T13:54:53",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-08-04T11:48:57.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted