CVE-2020-12008
📋 TL;DR
Baxter ExactaMix EM systems transmit sensitive patient health information (PHI) in unencrypted cleartext over the network. This allows attackers with network access to intercept and view confidential medical data. Healthcare organizations using these specific Baxter medical devices are affected.
💻 Affected Systems
- Baxter ExactaMix EM 2400
- Baxter ExactaMix EM 1200
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and steal protected health information (PHI), leading to HIPAA violations, patient privacy breaches, medical identity theft, and potential manipulation of medication orders.
Likely Case
Unauthorized network monitoring reveals patient treatment information, compromising patient confidentiality and potentially violating healthcare regulations.
If Mitigated
With proper network segmentation and monitoring, impact is limited to internal network visibility but still represents a compliance violation.
🎯 Exploit Status
Exploitation requires network access but no authentication. Attack involves passive network sniffing of cleartext communications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ExactaMix EM 2400: 1.13; ExactaMix EM 1200: 1.4
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsma-20-170-01
Restart Required: Yes
Instructions:
1. Contact Baxter technical support for patch availability. 2. Schedule maintenance window. 3. Apply firmware update following Baxter's instructions. 4. Verify encryption is enabled for order communications.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Baxter ExactaMix systems on separate VLAN with strict access controls
VPN Tunnel
allEstablish encrypted VPN tunnel between ExactaMix and order entry system
🧯 If You Can't Patch
- Implement strict network segmentation to isolate medical devices from general network traffic
- Deploy network monitoring and intrusion detection to alert on unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via system menu or Baxter management interfaceCheck Version:
Check via Baxter device interface: System > About > Firmware VersionVerify Fix Applied:
Verify firmware version is 1.13 (EM 2400) or 1.4 (EM 1200) and confirm encrypted communications with order entry system📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to/from medical devices
- Multiple failed connection attempts to order entry system
Network Indicators:
- Cleartext medical data packets on network
- Unencrypted traffic on ports used by ExactaMix systems
SIEM Query:
source_ip IN (medical_device_ips) AND protocol = 'tcp' AND (port = [order_system_port]) AND payload_contains 'PHI' OR 'patient'