Baxter Life2000 Ventilation System
8 CVEs affecting Baxter Life2000 Ventilation System. Latest disclosed: 2024-11-14. Critical: 8, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-48967 | Critical | 10.0 | 2024-11-14 | The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination… |
CVE-2024-48966 | Critical | 10.0 | 2024-11-14 | The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC w… |
CVE-2024-48970 | Critical | 9.3 | 2024-11-14 | The ventilator's microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an o… |
CVE-2024-48974 | Critical | 9.3 | 2024-11-14 | The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized chang… |
CVE-2024-48973 | Critical | 9.3 | 2024-11-14 | The debug port on the ventilator's serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which… |
CVE-2024-48971 | Critical | 9.3 | 2024-11-14 | The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the pa… |
CVE-2024-9832 | Critical | 9.3 | 2024-11-14 | There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execu… |
CVE-2024-9834 | Critical | 9.3 | 2024-11-14 | Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of in… |