CVE-2024-5176 Baxter CVE debrief

Who should care

Healthcare organizations using Baxter Welch Allyn medical devices, biomedical engineering teams, clinical engineering departments, healthcare IT security teams, and any personnel who have used the Welch Allyn Configuration Tool for device configuration

Technical summary

The Welch Allyn Product Configuration Tool, used for configuring Baxter medical devices, contains a vulnerability that exposes credentials and user input to potential compromise. The vulnerability is network-exploitable with low attack complexity, requires no privileges, but does require user interaction. The scope is changed, with high impact to confidentiality and integrity, and low impact to availability. The exact mechanism of credential exposure is not detailed in the advisory, but the impact statement indicates that any credentials used for authentication or input during tool operation are at risk. This suggests possible insecure credential handling, logging, or transmission within the tool.

Defensive priority

critical

Recommended defensive actions

• Rotate all credentials that were used for authentication or entered as input while using the Welch Allyn Configuration Tool
• Contact Baxter Technical Support at (800) 535-6663, option 2, or your Baxter Project Manager for configuration file creation needs, as the tool has been removed from public access
• Apply network and physical security controls to reduce exposure risk
• Monitor for vendor release of Welch Allyn Product Configuration Tool version 1.9.4.2 (expected Q3 2024) and apply when available
• Review accounts and systems that may have shared credentials with the affected tool for signs of unauthorized access

Evidence notes

Source: CISA ICS Medical Advisory ICSMA-24-151-01. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L. Affected product: Baxter Welch Allyn Product Configuration Tool ≤1.9.4.1. Vendor fix: version 1.9.4.2 available Q3 2024.

Official resources