Sign-up

ID

VAR-201903-0658


CVE

CVE-2014-5431


TITLE

Baxter SIGMA Spectrum Infusion System Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2014-008651

DESCRIPTION

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network configuration of the WBM, if connected. The hard-coded password may allow an attacker with physical access to the device to access management functions to make unauthorized configuration changes to biomedical settings such as turn on and off wireless connections and the phase-complete audible alarm that indicates the end of an infusion phase. Baxter has released a new version of the SIGMA Spectrum Infusion System, version 8, which incorporates hardware and software changes. Baxter SIGMA Spectrum Infusion System is a set of intelligent infusion system of Baxter company. Local attackers can use this vulnerability to bypass security restrictions and perform unauthorized operations

Trust: 2.52

sources: NVD: CVE-2014-5431 // JVNDB: JVNDB-2014-008651 // CNVD: CNVD-2015-07336 // BID: 76898 // VULHUB: VHN-73372

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-07336

AFFECTED PRODUCTS

vendor:baxtermodel:sigma spectrum infusion systemscope:eqversion:6.05

Trust: 1.0

vendor:baxtermodel:sigma spectrum infusion systemscope:eqversion:6.05 (model 35700bax)

Trust: 0.8

vendor:baxtermodel:sigma spectrum infusion systemscope: - version: -

Trust: 0.6

vendor:baxtermodel:wireless battery modulescope:eqversion:0

Trust: 0.3

vendor:baxtermodel:sigma spectrum infusion systemscope:eqversion:0

Trust: 0.3

vendor:baxtermodel:wireless battery modulescope:neversion:16

Trust: 0.3

vendor:baxtermodel:sigma spectrum infusion systemscope:neversion:6.05

Trust: 0.3

sources: CNVD: CNVD-2015-07336 // BID: 76898 // JVNDB: JVNDB-2014-008651 // NVD: CVE-2014-5431

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5431
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-5431
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-07336
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201510-645
value: MEDIUM

Trust: 0.6

VULHUB: VHN-73372
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-5431
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-07336
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-73372
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-5431
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2015-07336 // VULHUB: VHN-73372 // JVNDB: JVNDB-2014-008651 // CNNVD: CNNVD-201510-645 // NVD: CVE-2014-5431

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

problemtype:CWE-259

Trust: 1.0

sources: VULHUB: VHN-73372 // JVNDB: JVNDB-2014-008651 // NVD: CVE-2014-5431

THREAT TYPE

local

Trust: 0.9

sources: BID: 76898 // CNNVD: CNNVD-201510-645

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201510-645

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008651

PATCH
title:Top Pageurl:https://www.baxter.com/
Trust: 0.8
title:Patch for Baxter SIGMA Spectrum Infusion System Local Security Bypass Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/66375
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-07336 // 
            
            
            
            JVNDB: JVNDB-2014-008651

EXTERNAL IDS
db:NVDid:CVE-2014-5431
Trust: 3.4
db:ICS CERTid:ICSA-15-181-01
Trust: 2.8
db:BIDid:76898
Trust: 1.0
db:JVNDBid:JVNDB-2014-008651
Trust: 0.8
db:CNNVDid:CNNVD-201510-645
Trust: 0.7
db:CNVDid:CNVD-2015-07336
Trust: 0.6
db:VULHUBid:VHN-73372
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-07336 // 
            
            
            
            VULHUB: VHN-73372 // 
            
            
            
            BID: 76898 // 
            
            
            
            JVNDB: JVNDB-2014-008651 // 
            
            
            
            CNNVD: CNNVD-201510-645 // 
            
            
            
            NVD: CVE-2014-5431

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-181-01
Trust: 2.8
url:https://nvd.nist.gov/vuln/detail/cve-2014-5431
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5431
Trust: 0.8
url:http://www.securityfocus.com/bid/76898
Trust: 0.6
url:http://www.baxter.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-07336 // 
            
            
            
            VULHUB: VHN-73372 // 
            
            
            
            BID: 76898 // 
            
            
            
            JVNDB: JVNDB-2014-008651 // 
            
            
            
            CNNVD: CNNVD-201510-645 // 
            
            
            
            NVD: CVE-2014-5431

CREDITS
Jared Bird with Allina IS Security
Trust: 0.9
sources:
            
            
            BID: 76898 // 
            
            
            
            CNNVD: CNNVD-201510-645

SOURCES
db:CNVDid:CNVD-2015-07336
db:VULHUBid:VHN-73372
db:BIDid:76898
db:JVNDBid:JVNDB-2014-008651
db:CNNVDid:CNNVD-201510-645
db:NVDid:CVE-2014-5431

LAST UPDATE DATE
2024-11-23T22:17:06.989000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-07336date:2015-11-09T00:00:00
db:VULHUBid:VHN-73372date:2019-10-09T00:00:00
db:BIDid:76898date:2015-09-29T00:00:00
db:JVNDBid:JVNDB-2014-008651date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201510-645date:2019-10-10T00:00:00
db:NVDid:CVE-2014-5431date:2024-11-21T02:12:02.167

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-07336date:2015-11-09T00:00:00
db:VULHUBid:VHN-73372date:2019-03-26T00:00:00
db:BIDid:76898date:2015-09-29T00:00:00
db:JVNDBid:JVNDB-2014-008651date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201510-645date:2015-09-29T00:00:00
db:NVDid:CVE-2014-5431date:2019-03-26T16:29:00.243