CVE-2024-5176 - OpenCVE

Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: Baxter

Published: 2024-05-31T17:26:05.140Z

Updated: 2024-09-03T15:31:58.511Z

Reserved: 2024-05-21T16:07:59.038Z

Link: CVE-2024-5176

Vulnrichment

Updated: 2024-08-01T21:03:11.030Z

NVD

Status : Awaiting Analysis

Published: 2024-05-31T18:15:13.280

Modified: 2024-06-05T15:15:12.620

Link: CVE-2024-5176

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5176", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "state": "PUBLISHED", "assignerShortName": "Baxter", "dateReserved": "2024-05-21T16:07:59.038Z", "datePublished": "2024-05-31T17:26:05.140Z", "dateUpdated": "2024-09-03T15:31:58.511Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Welch Allyn Configuration Tool", "vendor": "Baxter", "versions": [{"lessThanOrEqual": "1.9.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Baxter reported this vulnerability to CISA."}], "datePublic": "2024-05-30T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.<p>This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior.</p>"}], "value": "Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior."}], "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-06-05T14:41:49.489Z"}, "references": [{"url": "https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:</p><ul><li>Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024</li><li>No user action will be required once the update is released.</li></ul><p>Baxter recommends the following workarounds to help reduce risk:</p><ul><li>Apply proper network and physical security controls.</li><li>The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2.</li></ul>"}], "value": "Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:\n\n * Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024\n * No user action will be required once the update is released.\n\n\nBaxter recommends the following workarounds to help reduce risk:\n\n * Apply proper network and physical security controls.\n * The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2."}], "source": {"advisory": "ICSMA-24-151-01", "discovery": "UNKNOWN"}, "title": "Vulnerability in Welch Allyn Configuration Tool Software", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:11.030Z"}, "title": "CVE Program Container", "references": [{"url": "https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "baxter", "product": "welch_allyn_configuration_tool", "cpes": ["cpe:2.3:a:baxter:welch_allyn_configuration_tool:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.4.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T15:30:10.899212Z", "id": "CVE-2024-5176", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:31:58.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:11.030Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5176", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-03T15:30:10.899212Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:baxter:welch_allyn_configuration_tool:*:*:*:*:*:*:*:*"], "vendor": "baxter", "product": "welch_allyn_configuration_tool", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.4.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:31:53.364Z"}}], "cna": {"title": "Vulnerability in Welch Allyn Configuration Tool Software", "source": {"advisory": "ICSMA-24-151-01", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Baxter reported this vulnerability to CISA."}], "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Baxter", "product": "Welch Allyn Configuration Tool", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.4.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:\n\n * Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024\n * No user action will be required once the update is released.\n\n\nBaxter recommends the following workarounds to help reduce risk:\n\n * Apply proper network and physical security controls.\n * The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2.", "supportingMedia": [{"type": "text/html", "value": "<p>Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:</p><ul><li>Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024</li><li>No user action will be required once the update is released.</li></ul><p>Baxter recommends the following workarounds to help reduce risk:</p><ul><li>Apply proper network and physical security controls.</li><li>The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2.</li></ul>", "base64": false}]}], "datePublic": "2024-05-30T17:00:00.000Z", "references": [{"url": "https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior.", "supportingMedia": [{"type": "text/html", "value": "Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.<p>This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-06-05T14:41:49.489Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5176", "state": "PUBLISHED", "dateUpdated": "2024-09-03T15:31:58.511Z", "dateReserved": "2024-05-21T16:07:59.038Z", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "datePublished": "2024-05-31T17:26:05.140Z", "assignerShortName": "Baxter"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficiently Protected Credentials vulnerability in Baxter Welch Allyn Configuration Tool may allow Remote Services with Stolen Credentials.This issue affects Welch Allyn Configuration Tool: versions 1.9.4.1 and prior."}, {"lang": "es", "value": "La vulnerabilidad de credenciales insuficientemente protegidas en la herramienta de configuraci\u00f3n Baxter Welch Allyn puede permitir servicios remotos con credenciales robadas. Este problema afecta a la herramienta de configuraci\u00f3n Welch Allyn: versiones 1.9.4.1 y anteriores."}], "id": "CVE-2024-5176", "lastModified": "2024-06-05T15:15:12.620", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "productsecurity@baxter.com", "type": "Secondary"}]}, "published": "2024-05-31T18:15:13.280", "references": [{"source": "productsecurity@baxter.com", "url": "https://cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01"}], "sourceIdentifier": "productsecurity@baxter.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "productsecurity@baxter.com", "type": "Secondary"}]}