CVE-2024-9832

Improper Restriction of Excessive Authentication Attempts (CWE-307)

Published: Nov 14, 2024 / Updated: 5d ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password on a ventilator device. This vulnerability allows for potential brute-force attacks to gain unauthorized access to the ventilator.

Impact

If exploited, an attacker could gain unauthorized access to the ventilator and make changes to device settings. This could potentially disrupt the function of the device, which is critical for patient care. Additionally, it could result in unauthorized information disclosure, potentially compromising patient data or sensitive medical information. Given the high scores for integrity, availability, and confidentiality impacts, this vulnerability poses a severe risk to the overall operation and security of the ventilator.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

While specific mitigation steps are not provided in the vulnerability data, general recommendations for this type of vulnerability might include: 1. Implement account lockout policies after a certain number of failed login attempts. 2. Use strong, unique passwords for clinician and serial number access. 3. Implement multi-factor authentication if possible. 4. Monitor and log access attempts to detect potential brute-force attacks. 5. Restrict physical access to the ventilator devices to authorized personnel only. 6. Regularly update and patch the ventilator software if updates become available.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9832

Nov 14, 2024 at 9:15 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Nov 14, 2024 at 9:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9832. See article

Nov 14, 2024 at 9:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 14, 2024 at 9:21 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 14, 2024 at 9:49 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.2%)

Nov 15, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Philips
+null more

Links to Mitre Att&cks

T1110.001: Password Guessing
+null more

Attack Patterns

CAPEC-16: Dictionary-based Password Attack
+null more

News

Multiple vulnerabilities in Baxter Life2000 Ventilation System
Critical Vulnerabilities Found in Baxter Life2000 Ventilation System
This vulnerability allows attackers to exploit the device’s unencrypted serial interface to gain unauthorized access and manipulate device settings. Baxter describes this as leading to unauthorized disclosure of information and/or unintended impacts on device settings and performance.
CVE-2024-9832 - Exploits & Severity - Feedly
If exploited, an attacker could gain unauthorized access to the ventilator and make changes to device settings. This vulnerability allows for potential brute-force attacks to gain unauthorized access to the ventilator.
CVE-2024-9832 | Baxter Life2000 Ventilation System up to 06.08.00.00 Login excessive authentication (icsma-24-319-01)
A vulnerability has been found in Baxter Life2000 Ventilation System up to 06.08.00.00 and classified as problematic . This vulnerability affects unknown code of the component Login . The manipulation leads to improper restriction of excessive authentication attempts. This vulnerability was named CVE-2024-9832 . Attacking locally is a requirement. There is no exploit available.
NA - CVE-2024-9832 - There is no limit on the number of failed login...
There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI