OTPulse
FeedAboutContact

Baxter Welch Allyn Connex Spot Monitor

Plan Patch7.4ICS-CERT ICSMA-24-151-02May 30, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A cryptographic vulnerability in the Welch Allyn Connex Spot Monitor allows an attacker to modify device configuration and firmware data without authentication. Tampering with this data could compromise the device and result in impact or delay in patient care. The vulnerability affects versions 1.52 and earlier. Baxter has released firmware version 1.52.01 (available October 16, 2023) to address this issue.

What this means
What could happen
An attacker could modify the monitor's configuration and firmware, potentially causing incorrect readings or device malfunction that could delay or impact patient care in a clinical setting.
Who's at risk
Healthcare facilities operating Baxter Welch Allyn Connex Spot Monitors for patient vital sign monitoring. This includes hospital bedside monitors and point-of-care devices in clinical departments.
How it could be exploited
An attacker with network access to the Connex Spot Monitor could exploit a cryptographic weakness to tamper with firmware or configuration data without authentication. This requires network reachability to the device but does not require user interaction or valid credentials.
Prerequisites
  • Network access to the Welch Allyn Connex Spot Monitor
  • Device running firmware version 1.52 or earlier
  • No authentication or credentials required
remotely exploitableno authentication requiredaffects patient monitoringmedical device tamperinglow complexity attack
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Welch Allyn Connex Spot Monitor (CSM): <=1.52≤ 1.521.52.01
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDEnsure a unique encryption key is configured and applied to the product as described in the Connex Spot Monitor Service Manual
HARDENINGApply network access controls to restrict connectivity to the Connex Spot Monitor (firewall rules, network segmentation)
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Welch Allyn Connex Spot Monitor to firmware version 1.52.01 or later
Long-term hardening
0/1
HARDENINGIsolate the medical device network from business networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2fc4625f-e24c-4498-a04a-afcfb979a23c
Baxter Welch Allyn Connex Spot Monitor | CVSS 7.4 - OTPulse