{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-48966", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "state": "PUBLISHED", "assignerShortName": "Baxter", "dateReserved": "2024-10-10T19:24:34.436Z", "datePublished": "2024-11-14T21:38:11.113Z", "dateUpdated": "2024-11-15T15:37:40.878Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Life2000 Ventilation System", "vendor": "Baxter", "versions": [{"status": "affected", "version": "06.08.00.00 and prior"}]}], "datePublic": "2024-11-14T21:33:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance."}], "value": "The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance."}], "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}, {"capecId": "CAPEC-441", "descriptions": [{"lang": "en", "value": "CAPEC-441 Malicious Logic Insertion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-11-14T21:53:00.216Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01"}], "source": {"discovery": "UNKNOWN"}, "title": "Life2000 service tools for test and calibration do not support user authentication", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-48966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-15T15:33:11.667501Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:baxter:life2000_ventilator_firmware:*:*:*:*:*:*:*:*"], "vendor": "baxter", "product": "life2000_ventilator_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "6.08.00.00", "versionType": "custom"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T15:37:40.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Life2000 service tools for test and calibration do not support user authentication", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}, {"capecId": "CAPEC-441", "descriptions": [{"lang": "en", "value": "CAPEC-441 Malicious Logic Insertion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Baxter", "product": "Life2000 Ventilation System", "versions": [{"status": "affected", "version": "06.08.00.00 and prior"}], "defaultStatus": "unaffected"}], "datePublic": "2024-11-14T21:33:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.", "supportingMedia": [{"type": "text/html", "value": "The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-11-14T21:53:00.216Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-48966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-15T15:33:11.667501Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:baxter:life2000_ventilator_firmware:*:*:*:*:*:*:*:*"], "vendor": "baxter", "product": "life2000_ventilator_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "6.08.00.00", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-11-15T15:33:37.459Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-48966", "state": "PUBLISHED", "dateUpdated": "2024-11-14T21:53:00.216Z", "dateReserved": "2024-10-10T19:24:34.436Z", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "datePublished": "2024-11-14T21:38:11.113Z", "assignerShortName": "Baxter"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without having to authenticate to either tool. This could result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance."}, {"lang": "es", "value": "Las herramientas de software que utiliza el personal de servicio para probar y calibrar el respirador no admiten la autenticaci\u00f3n de usuarios. Un atacante con acceso a la PC de servicio donde est\u00e1n instaladas las herramientas podr\u00eda obtener informaci\u00f3n de diagn\u00f3stico a trav\u00e9s de la herramienta de prueba o manipular la configuraci\u00f3n del respirador y el software integrado a trav\u00e9s de la herramienta de calibraci\u00f3n, sin tener que autenticarse en ninguna de las herramientas. Esto podr\u00eda dar lugar a una divulgaci\u00f3n no autorizada de informaci\u00f3n o tener efectos no deseados en la configuraci\u00f3n y el rendimiento del dispositivo."}], "id": "CVE-2024-48966", "lastModified": "2024-11-15T13:58:08.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "productsecurity@baxter.com", "type": "Secondary"}]}, "published": "2024-11-14T22:15:17.727", "references": [{"source": "productsecurity@baxter.com", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01"}], "sourceIdentifier": "productsecurity@baxter.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "productsecurity@baxter.com", "type": "Secondary"}]}

{}