Critical Vulnerabilities Found in Baxter Life2000 Ventilation System

Baxter Life2000 Ventilation System - CVE-2024-48966

The Baxter Life2000 Ventilation System, a key healthcare device used in critical infrastructure sectors, has been found to contain multiple severe vulnerabilities. These issues, detailed in a recent security advisory (ICSMA-24-319-01), pose risks including unauthorized access, data exposure, and operational disruptions.

The advisory outlines several vulnerabilities in the Life2000 system, including:

  1. CVE-2024-9834 (CVSSv4 9.3): Cleartext Transmission of Sensitive Information
    This vulnerability allows attackers to exploit the device’s unencrypted serial interface to gain unauthorized access and manipulate device settings. Baxter describes this as leading to unauthorized disclosure of information and/or unintended impacts on device settings and performance.
  2. CVE-2024-9832 (CVSSv4 9.4): Improper Restriction of Excessive Authentication Attempts
    Without a limit on login attempts, attackers can use brute-force techniques to access the ventilator’s settings, potentially compromising patient safety.
  3. CVE-2024-48971 (CVSSv4 9.4): Use of Hard-Coded Credentials
    Hard-coded clinician passwords allow attackers to bypass authentication and take control of the ventilator.
  4. CVE-2024-48973 (CVSSv4 9.4): Improper Physical Access Control
    The debug port is enabled by default, exposing the device to physical tampering that could result in data breaches or unauthorized setting changes.
  5. CVE-2024-48974 (CVSSv4 9.4): Download of Code Without Integrity Check
    The lack of integrity checks on firmware updates opens the door to malicious code injection.
  6. CVE-2024-48966 (CVSSv4 10): Missing Authentication for Critical Functions
    Service tools for testing and calibration lack authentication, allowing attackers to manipulate settings or firmware.

Successful exploitation of these vulnerabilities could lead to:

  • Information Disclosure: Leaking sensitive patient or operational data.
  • Device Disruption: Unauthorized setting changes could render the device inoperable.
  • Patient Safety Risks: Manipulation of critical functions could directly impact patient care.

As the advisory states, these vulnerabilities “could lead to information disclosure and/or disruption of the device’s function without detection.

While no active exploitation of these vulnerabilities has been reported, Baxter has provided interim guidelines:

  • Physical Security: Users should avoid leaving devices unattended in unsecured areas.
  • Vigilance in Updates: Baxter plans to release an update addressing these issues by Q2 2025.
  • Monitoring and Reporting: Organizations should implement logging and monitoring to detect malicious activity and follow proper reporting protocols.

Related Posts: