On May 30, 2024, CISA publicized ICS Medical Alerts for Baxter products and medical devices. Baxter identified two critical vulnerabilities in its Welch Allyn products, namely the Welch Allyn Connex Spot Monitor and the Welch Allyn Product Configuration Tool.
Baxter discovered a critical vulnerability that impacts the Welch Allyn Product Configuration Tool version 1.9.4.1 and earlier versions. The vulnerability monitored as CVE-2024-5176 is a result of “insufficiently protected credentials” and is given a CVSS v3.1 base rating of 9.6 and a CVSS v4 rating of 9.4. As per Baxter, any credentials that were employed for authentication or input when using the Welch Allyn Configuration Tool can be exposed to unauthorized interception and/or access. To avoid remote exploitation, the credentials need to be modified promptly.
Baxter did not find any proof that indicates the exploitation of the vulnerability in the wild and plans to introduce another software update to handle the vulnerability. As soon as the update is available, the vulnerability will be fixed without requiring any other action. However, the new version 1.9.4.2 will not be available until Q3 of 2024. Meanwhile, the Welch Allyn Configuration Tool is not available for public access. When customers need to make configuration files, they need Baxter Technical Assistance.
The second critical vulnerability impacts the Welch Allyn Connex Spot Monitor (CSM) version 1.52 and earlier versions. The vulnerability is monitored as CVE-2024-1275 and is given a CVSS v3.1 base rating of 7.4 and a CVSS v4 rating of 9.1. It is caused by the “Use of a default cryptographic key” for possibly critical functions. Most devices are created to use default keys to ease the production process or the system administrator’s job of installing and deploying an enterprise. When admins fail to alter the defaults, attackers can easily bypass authentication through several organizations. When exploited remotely, an attacker can change the device settings and firmware information, which would affect and/or hold up patient care. Brikl CEO & Co-Founder, Maarten Boone, together with, Zerocopter CTO, Edwin Van Andel, reported the vulnerability to Baxter.
Baxter has introduced a software upgrade to deal with vulnerabilities in all units and software programs. The vulnerability is resolved in Welch Allyn Connex Spot Monitor version 1.5.2.01, which was made available on October 16, 2023. In case it isn’t possible to use the upgrade, Baxter has recommended a workaround to lessen the possibility of threat, which entails using the proper system and physical security settings and making sure that encryption is set up and used on the product, as advised in the product guide.
Photo Credit: Baxter Welch Allyn / Romar66 – stock.adobe
