CVE-2024-9834

Cleartext Transmission of Sensitive Information (CWE-319)

Published: Nov 14, 2024 / Updated: 5d ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

Impact

This vulnerability has a high severity with a CVSS base score of 9.3. It affects the confidentiality, integrity, and availability of the system. An attacker could potentially access sensitive information, alter device settings, and impact the performance of the ventilator. The attack vector is local, requires no privileges, and no user interaction, making it relatively easy to exploit if an attacker gains local access.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there are no specific details about a patch being available.

Mitigation

While no specific mitigation steps are provided, general recommendations would include: 1. Restrict physical access to the ventilator's serial interface. 2. Implement strong authentication and encryption for all communications on the serial interface. 3. Monitor and log all access attempts to the serial interface. 4. Regularly update the ventilator's firmware if updates become available. 5. Implement network segmentation to isolate medical devices from other networks.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9834

Nov 14, 2024 at 9:15 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Nov 14, 2024 at 9:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9834. See article

Nov 14, 2024 at 9:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 14, 2024 at 9:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.2%)

Nov 15, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Medtronic
+null more

Attack Patterns

CAPEC-102: Session Sidejacking
+null more

News

Multiple vulnerabilities in Baxter Life2000 Ventilation System
Critical Vulnerabilities Found in Baxter Life2000 Ventilation System
This vulnerability allows attackers to exploit the device’s unencrypted serial interface to gain unauthorized access and manipulate device settings. Baxter describes this as leading to unauthorized disclosure of information and/or unintended impacts on device settings and performance.
CVE-2024-9834 | Baxter Life2000 Ventilation System up to 06.08.00.00 Serial Interface cleartext transmission (icsma-24-319-01)
A vulnerability, which was classified as critical , has been found in Baxter Life2000 Ventilation System up to 06.08.00.00 . This issue affects some unknown processing of the component Serial Interface . The manipulation leads to cleartext transmission of sensitive information. The identification of this vulnerability is CVE-2024-9834 . The attack needs to be approached locally. There is no exploit available.
NA - CVE-2024-9834 - Improper data protection on the...
Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended...
CVE-2024-9834 - Medtronic Ventilator Information Exposure Vulnerability November 14, 2024 at 09:15PM https:// ift.tt/9UfJLge # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI