CVE-2020-12048 - OpenCVE

Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Baxter	Phoenix X36 Phoenix X36 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:::::::*
	cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:::::::*

cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsma-20-170-03	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2020-06-29T13:48:04

Updated: 2020-06-29T13:48:04

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-12048

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-06-29T14:15:11.990

Modified: 2020-07-16T13:12:20.120

Link: CVE-2020-12048

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"product": "Baxter Phoenix Hemodialysis Delivery System", "vendor": "n/a", "versions": [{"status": "affected", "version": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"}]}], "descriptions": [{"lang": "en", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-29T13:48:04", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-12048", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Baxter Phoenix Hemodialysis Delivery System", "version": {"version_data": [{"version_value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-12048", "datePublished": "2020-06-29T13:48:04", "dateReserved": "2020-04-21T00:00:00", "dateUpdated": "2020-06-29T13:48:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*", "matchCriteriaId": "1809D598-FB9F-4D54-8B3F-119B3A549F05", "vulnerable": true}, {"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*", "matchCriteriaId": "3B2F08A4-7907-400E-9D60-812A2F0BA929", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*", "matchCriteriaId": "D4EE9264-DAE6-4010-A27E-DFA71C1CD165", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}, {"lang": "es", "value": "Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\u00f3n de datos de di\u00e1lisis Exalis. Un atacante con acceso a la red podr\u00eda observar el tratamiento confidencial y los datos de prescripci\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis"}], "id": "CVE-2020-12048", "lastModified": "2020-07-16T13:12:20.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-29T14:15:11.990", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}