Baxter Welch Allyn Configuration Tool

Plan PatchCVSS 9.6ICS-CERT ICSMA-24-151-01May 30, 2024

Baxter

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Welch Allyn Product Configuration Tool versions 1.9.4.1 and earlier contain a credential exposure vulnerability (CWE-522) that could allow an attacker to extract stored credentials through user interaction. The credentials exposed by this vulnerability could be used to gain unauthorized access to Welch Allyn medical devices and their management interfaces. Baxter has removed the Configuration Tool from public access and will release version 1.9.4.2 in Q3 2024 to address this issue. Until the patch is available, Baxter recommends contacting Technical Support to have configuration files created by Baxter rather than using the potentially vulnerable tool directly.

What this means

What could happen

An attacker could obtain stored credentials from the Configuration Tool and use them to gain unauthorized access to Welch Allyn medical devices or their management systems, potentially affecting patient monitoring or treatment delivery.

Who's at risk

Healthcare facilities and Baxter customer organizations that use Welch Allyn Product Configuration Tool for medical device management and configuration, including hospital engineering and biomedical teams responsible for deploying and maintaining Welch Allyn monitoring and diagnostic equipment.

How it could be exploited

An attacker with user interaction (social engineering or phishing) could trick a user into opening a malicious file or link that exploits the vulnerability in the Configuration Tool to extract stored credentials. These credentials could then be used to access connected medical devices or systems.

Prerequisites

User interaction required (user must open malicious file or link)
Access to a system with Welch Allyn Configuration Tool version 1.9.4.1 or earlier installed
Network or physical access to the affected workstation

High CVSS score (9.6)User interaction required (reduces but does not eliminate risk)Credential exposure affects downstream medical devicesConfiguration Tool handles sensitive access credentials

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Welch Allyn Product Configuration Tool: <=1.9.4.1≤ 1.9.4.11.9.4.2

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact Baxter Technical Support ((800)535-6663, option 2) to have Baxter create configuration files instead of using the tool directly, until patched

HARDENINGApply proper network and physical security controls to restrict access to workstations running the Configuration Tool

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Welch Allyn Product Configuration Tool to version 1.9.4.2 or later when available (Q3 2024)

Long-term hardening

0/1

HARDENINGIsolate engineering workstations with the Configuration Tool from the business network and internet

CVEs (1)

CVE-2024-5176

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a7322e99-fbf7-40f6-95e8-bcaf1c413b89

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.