CVE-2020-12040

Sigma Spectrum Infusion System vs6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the application layer uses an unauthenticated clear-text communication channel to send and receive system status and operational data. This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name	Vendor	Start Version	End Version
Sigma_spectrum_infusion_system_firmware	Baxter	6.0 (including)	6.05 (including)
Sigma_spectrum_infusion_system_firmware	Baxter	8.0 (including)	8.0 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/102.html
https://cwe.mitre.org/data/definitions/117.html
https://cwe.mitre.org/data/definitions/383.html
https://cwe.mitre.org/data/definitions/477.html
https://cwe.mitre.org/data/definitions/65.html

References

https://www.us-cert.gov/ics/advisories/icsma-20-170-04
https://www.us-cert.gov/ics/advisories/icsma-20-170-04

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-12040
CWE	https://cwe.mitre.org/data/definitions/319.html

Cleartext Transmission of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References