CVE-2024-48966

Missing Authentication for Critical Function (CWE-306)

Published: Nov 14, 2024 / Updated: 5d ago

010
CVSS 10EPSS 0.04%Critical
CVE info copied to clipboard

Summary

The software tools used by service personnel to test & calibrate ventilators lack user authentication. An attacker with access to the Service PC where these tools are installed could obtain diagnostic information through the test tool or manipulate the ventilator's settings and embedded software via the calibration tool, without needing to authenticate.

Impact

This vulnerability could lead to unauthorized disclosure of sensitive information related to ventilator diagnostics. More critically, it could allow an attacker to manipulate ventilator settings and embedded software, potentially causing unintended and dangerous impacts on device performance. Given the critical nature of ventilators in medical settings, this could pose severe risks to patient safety.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

While no specific mitigation is mentioned in the provided data, general recommendations would include: 1. Implement strong authentication mechanisms for the service tools. 2. Restrict physical access to Service PCs where these tools are installed. 3. Monitor and log all access to these tools. 4. Implement network segmentation to isolate Service PCs from general network access. 5. Regularly update and patch the service tools and associated systems.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48966

Nov 14, 2024 at 10:15 PM
CVSS

A CVSS base score of 10 has been assigned.

Nov 14, 2024 at 10:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48966. See article

Nov 14, 2024 at 10:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 14, 2024 at 10:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.2%)

Nov 15, 2024 at 10:23 AM
Static CVE Timeline Graph

Affected Systems

Baxter
+null more

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

News

Multiple vulnerabilities in Baxter Life2000 Ventilation System
Critical Vulnerabilities Found in Baxter Life2000 Ventilation System
This vulnerability allows attackers to exploit the device’s unencrypted serial interface to gain unauthorized access and manipulate device settings. Baxter describes this as leading to unauthorized disclosure of information and/or unintended impacts on device settings and performance.
CVE-2024-48966 | Baxter Life2000 Ventilation System up to 06.08.00.00 missing authentication (icsma-24-319-01)
A vulnerability has been found in Baxter Life2000 Ventilation System up to 06.08.00.00 and classified as very critical . Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. This vulnerability is known as CVE-2024-48966 . The attack can be launched remotely. There is no exploit available.
NA - CVE-2024-48966 - The software tools used by service personnel to...
The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could...
CVE-2024-48966 - "Medtronic Ventilator Unauthenticated Diagnostic and Calibration Tool Access" November 14, 2024 at 10:15PM https:// ift.tt/lrsVmaY # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI