Skip to main content

Baxter PrismaFlex and PrisMax Vulnerabilties

Baxter has released details of multiple vulnerabilities affecting their PrismaFlex and PrisMax critical renal therapy systems. They claim that a remote unauthenticated attacker could exploit some or all of these vulnerabilities to obtain or alter sensitive data.

Threat ID:
CC-3512
Category:
Threat Severity:
Low
Threat Vector:
Published:
24 June 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Baxter has released details of multiple vulnerabilities affecting their PrismaFlex and PrisMax critical renal therapy systems. They claim that a remote unauthenticated attacker could exploit some or all of these vulnerabilities to obtain or alter sensitive data.

Affected platforms

The following platforms are known to be affected:

  • Baxter PrismaFlex - All versions
  • Baxter PrisMax - Versions prior to 3

Threat details

  • CVE-2020-12035 - CWE-287 - Both PrismaFlex and PrisMax systems do not require authentication when sending data to an Electronic Medical Records (EMR) or Patient Data Management (PDM) system.
  • CVE-2020-12036 - CWE-319 - Both PrismaFlex and PrisMax systems do not implement in-transit encryption when sending data to an EMR or PDM system.
  • CVE-2020-12037 - CWE-259 - PrismaFlex systems use a hard-coded password to access biomedical data, device and calibration settings, or network configurations.

For further information:

Remediation steps

Type Step

Baxter has produced updates to both PrismaFlex and Prismax systems. Affected organisations are encouraged to review these updates and apply them immediately.

Additionally, Baxter recommend affected organisations apply the following partial mitigating controls where possible:

  • Ensure PrismaFlex and PrisMax systems are isolated on their own subnetworks.
  • Ensure system compatibility between PrismaFlex/PrisMax systems and chosen EMR or PDM systems

Last edited: 29 June 2021 12:01 pm