View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.1
• ATTENTION: Exploitable remotely
• Vendor: Schneider Electric
• Equipment: EcoStruxure Control Expert, EcoStruxure Process Expert and Modicon M340, M580 and M580 Safety PLCs
• Vulnerabilities: Improper Enforcement of Message Integrity During Transmission in a Communication Channel, Use of Hard-coded Credentials, Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a denial of service, a loss of confidentiality, and threaten the integrity of controllers.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

• Modicon M340 CPU (part numbers BMXP34*): Versions prior to sv3.60 (CVE-2023-6408)
• Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety): Versions prior to SV4.20 (CVE-2023-6408)
• Modicon M580 CPU Safety: Versions prior to SV4.21 (CVE-2023-6408)
• EcoStruxure Control Expert: Versions prior to v16.0
• EcoStruxure Process Expert: Versions prior to v2023
• Modicon MC80 (part numbers BMKC80): All versions (CVE-2023-6408)
• Modicon Momentum Unity M1E Processor (171CBU*): All versions (CVE-2023-6408)

3.2 Vulnerability Overview

3.2.1 IMPROPER ENFORCEMENT OF MESSAGE INTEGRITY DURING TRANSMISSION IN A COMMUNICATION CHANNEL CWE-924

An improper enforcement of message integrity during transmission in a communication channel vulnerability exists that could cause a denial of service, a loss of confidentiality, and threaten the integrity of controllers through a man-in-the-middle attack.

CVE-2023-6408 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

A use of hard-coded credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

CVE-2023-6409 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An insufficiently protected credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

CVE-2023-27975 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Gao Jian, Jianshuang Ding, and Kaikai Yang reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following remediations and mitigations users can apply to reduce risk:

Modicon M340 CPU (part numbers BMXP34*):

• Firmware Version SV3.60 includes a fix for this vulnerability and is available for download.
• Set up an application password in the project properties.
• Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of the user manuals: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”:
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
• Ensure the M340 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety):

• Firmware Versions SV4.20 includes a fix for this vulnerability and is available for download.
• Set up an application password in the project properties
• Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”.
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
• Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”:
• Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”.
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”.
• Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.
• The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication .

Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S):

• Firmware SV4.21 includes a fix for CVE-2023-6408 and is available for download. Important: users needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety.
• If users choose not to apply the remediation, they are encouraged to immediately apply the following mitigations to reduce the risk of exploit:
• Set up an application password in the project properties.
• Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the Access Control List following the recommendations of “Modicon M580, Hardware, Reference Manual”
• Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”.
• Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/
• Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”
• Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
• Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”
• NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
• To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 – Safety System Planning Guide – in the chapter “Operating Mode Transitions”.
• Schneider Electric is establishing a remediation plan for all future versions of EcoStruxure Process Expert that will include a fix for CVE-2023-6409 and CVE-2023-27975. They will update SEVD-2024-317-04 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

Modicon MC80 (part numbers BMKC80):

• Set up an application password in the project properties.
• Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Configure the access control list following the recommendations of “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)” a secure communication according to “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”.
• (CVE-2023-6408) Schneider Electric Modicon Momentum Unity M1E Processor (171CBU*) All versions: Setup an application password in the project properties
  • Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP
  • Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”:

EcoStruxure Control Expert:

• Version 16.0 includes a fix for these vulnerabilities and is available for download. Reboot the computer after installation is completed.
• Enable encryption on application project and store application files in secure location with restricted access only for legitimate users.
• Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

EcoStruxure Process Expert:

• Version 15.3 HF008 includes the fix for these vulnerabilities and is available for download.
• EcoStruxure Process Expert manages application files within its database in secure way. Do not export & store them outside the application.
• Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices and the associated Schneider Electric Security Notification SEVD-2024-044-01 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• November 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: MicroSCADA Pro/X SYS600
• Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Authentication Bypass by Capture-replay, Missing Authentication for Critical Function, URL Redirection to Untrusted Site (‘Open Redirect’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

• Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.0 to Version 10.5 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7941)
• Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.2 to Version 10.5 (CVE-2024-7940)
• Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.5 (CVE-2024-7941)
• Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP1 (CVE-2024-3980)
• Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP2 HF1 to Version 9.4 FP2 HF5 (CVE-2024-4872, CVE-2024-3980)

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An attacker with local access to a machine where MicroSCADA X SYS600 is installed could enable session logging and try to exploit a session hijacking of an already established session. By default, the session logging level is not enabled and only users with administrator rights can enable it.

CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The product exposes a service that is intended for local only to all network interfaces without any authentication.

CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.5 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

A HTTP parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

CVE-2024-7941 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

3.3 PRODUCT IMPACT

Product-specific impact for an affected product vulnerable to the CVE:

• CVE-2024-4872
  • (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
  • (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
• CVE-2024-3980
  • (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.4 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Hitachi Energy MicroSCADA X SYS600: Update to Version 10.6
• (CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA Pro SYS600: Apply Patch 9.4 FP2 HF6 (Installation of previous FP2 hotfixes are required prior to the installation of HF6)
• (CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA X SYS600, Hitachi Energy MicroSCADA Pro SYS600: Follow the general mitigation factors below.
• (CVE-2024-3982, CVE-2024-7940, CVE-2024-7941) Hitachi Energy MicroSCADA X SYS600: Follow the general mitigation factors below.

Hitachi Energy recommends the following security practices and firewall configurations to help protect process control networks from attacks that originate from outside the network:

• Ensure process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed.
• Process control systems should not be used for Internet
  surfing, instant messaging, or receiving e-mails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
• Proper password policies and processes should be followed.

For detailed mitigation strategies, users can approach their Hitachi Energy organization contact.

Hitachi Electric highly recommends deploying the product following the “MicroSCADA cybersecurity deployment guideline” document. Users should maintain their systems with products running on supported versions and follow maintenance releases.

For more information, see Hitachi Energy Cybersecurity Advisory “Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Baxter
• Equipment: Life2000 Ventilation System
• Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of Hard-Coded Credentials, Improper Physical Access Control, Download of Code Without Integrity Check, On-Chip Debug and Test Interface With Improper Access Control, Missing Support for Security Features in On-Chip Fabrics or Buses, Missing Authentication for Critical Function, Insufficient Logging

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to information disclosure and/or disruption of the device’s function without detection.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Baxter (formerly Hillrom) products are affected:

• Life2000 Ventilation System: Version 06.08.00.00 and prior

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION (CWE-319)

Improper data protection on the ventilator’s serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-9834 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9834. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS (CWE-307)

There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure..

CVE-2024-9832 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9832. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 USE OF HARD-CODED CREDENTIALS (CWE-798)

The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges.

CVE-2024-48971 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48971. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 IMPROPER PHYSICAL ACCESS CONTROL (CWE-1263)

The debug port on the ventilator’s serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-48973 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48973. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.5 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK (CWE-494)

The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device’s configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure.

CVE-2024-48974 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48974. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.6 ON-CHIP DEBUG AND TEST INTERFACE WITH IMPROPER ACCESS CONTROL (CWE-1191)

The ventilator’s microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure.

CVE-2024-48970 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48970. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.7 MISSING SUPPORT FOR SECURITY FEATURES IN ON-CHIP FABRICS OR BUSES (CWE-1318)

The flash memory read-out protection feature on the microcontroller does not block memory access via the ICode bus. Attackers can exploit this in conjunction with certain CPU exception handling behaviors to gain knowledge of how the onboard flash memory is organized and ultimately bypass read-out protection to expose memory contents.

CVE-2020-8004 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2020-8004. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE-306)

The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator’s settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

CVE-2024-48966 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48966. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.9 INSUFFICIENT LOGGING (CWE-778)

The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator and/or the Service PC could, without detection, make unauthorized changes to ventilator settings that result in unauthorized disclosure of information and/or have unintended impacts on device performance.

CVE-2024-48967 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48967. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: United States
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Baxter reported these vulnerabilities to CISA.

4. MITIGATIONS

Baxter plans to issue a follow-up announcement in Q2 2025 regarding the Life2000 vulnerabilities described in this disclosure.

Baxter is unaware of any exploitation of these vulnerabilities and/or the compromise of personal or health data.

Baxter recommends that users of the Life2000 Ventilation System not leave their ventilators unattended in public or unsecured areas. Maintaining physical possession and control of the ventilator reduces the likelihood of a malicious actor gaining access to the device.

For more information, refer to Baxter’s Product Security and Responsible Disclosures web page.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 14, 2024: Initial Publication