CVE-2020-12048 - OpenCVE

Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Baxter	Phoenix X36 Phoenix X36 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:::::::*
	cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:::::::*

No data.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsma-20-170-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-06-29T13:48:04

Updated: 2024-08-04T11:48:57.931Z

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-12048

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-29T14:15:11.990

Modified: 2020-07-16T13:12:20.120

Link: CVE-2020-12048

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Baxter Phoenix Hemodialysis Delivery System", "vendor": "n/a", "versions": [{"status": "affected", "version": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"}]}], "descriptions": [{"lang": "en", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-29T13:48:04", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-12048", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Baxter Phoenix Hemodialysis Delivery System", "version": {"version_data": [{"version_value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:57.931Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-12048", "datePublished": "2020-06-29T13:48:04", "dateReserved": "2020-04-21T00:00:00", "dateUpdated": "2024-08-04T11:48:57.931Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*", "matchCriteriaId": "D4EE9264-DAE6-4010-A27E-DFA71C1CD165", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*", "matchCriteriaId": "1809D598-FB9F-4D54-8B3F-119B3A549F05", "vulnerable": true}, {"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*", "matchCriteriaId": "3B2F08A4-7907-400E-9D60-812A2F0BA929", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}, {"lang": "es", "value": "Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\u00f3n de datos de di\u00e1lisis Exalis. Un atacante con acceso a la red podr\u00eda observar el tratamiento confidencial y los datos de prescripci\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis"}], "id": "CVE-2020-12048", "lastModified": "2020-07-16T13:12:20.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-29T14:15:11.990", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}