Baxter ExactaMix EM 1200/ExactaMix EM 2400 hard-coded password
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.5 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Baxter ExactaMix EM 1200 and ExactaMix EM 2400. This affects an unknown part. Such manipulation leads to hard-coded password. This vulnerability is uniquely identified as CVE-2020-12016. The attack can be launched remotely. No exploit exists.
Details
A vulnerability, which was classified as critical, has been found in Baxter ExactaMix EM 1200 and ExactaMix EM 2400 (the affected version unknown). Affected by this issue is an unknown part. The manipulation with an unknown input leads to a hard-coded password vulnerability. Using CWE to declare the problem leads to CWE-259. The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 have hard-coded administrative account credentials for the ExactaMix operating system. Successful exploitation of this vulnerability may allow an attacker who has gained unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration. This could allow an attacker with network access to view sensitive data including PHI.
The weakness was disclosed 06/29/2020 (Website). The advisory is shared for download at us-cert.gov. This vulnerability is handled as CVE-2020-12016 since 04/21/2020. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1078.001.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
The entries VDB-157410, VDB-157411, VDB-157415 and VDB-157413 are pretty similar. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.5
VulDB Base Score: 7.3
VulDB Temp Score: 7.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Hard-coded passwordCWE: CWE-259 / CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
04/21/2020 🔍06/29/2020 🔍
06/30/2020 🔍
06/30/2020 🔍
Sources
Advisory: us-cert.govStatus: Not defined
CVE: CVE-2020-12016 (🔍)
GCVE (CVE): GCVE-0-2020-12016
GCVE (VulDB): GCVE-100-157412
See also: 🔍
Entry
Created: 06/30/2020 07:43Updated: 06/30/2020 07:48
Changes: 06/30/2020 07:43 (37), 06/30/2020 07:48 (17)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.