Level Nine reported these vulnerabilities to CISA. Contec Health has not responded to requests to work with CISA to mitigate these vulnerabilities.
- CVE-2022-36385 - IMPROPER ACCESS CONTROLS - CWE-284
An attacker with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent an attacker from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device. A CVSS v3 base score of 6.8 has been calculated.
- CVE-2022-38100 - UNCONTROLLED RESOURCE CONSUMPTION - CWE-400
The CMS800 device fails while attempting to parse malformed network data sent by an attacker. An attacker with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network. A CVSS v3 base score of 7.5 has been calculated.
- CVE-2022-38069 - USE OF HARD-CODED CREDENTIALS - CWE-798
Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow an attacker with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters. A CVSS v3 base score of 4.3 has been calculated.
- CVE-2022-38453 - ACTIVE DEBUG CODE - CWE-489
Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for an attacker to reverse engineer sensitive code and identify additional vulnerabilities. A CVSS v3 base score of 3.0 has been calculated.
- CVE-2022-3027 - IMPROPER ACCESS CONTROL - CWE-284
The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. An attacker could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information. A CVSS v3 base score of 5.7 has been calculated.