CVE-2020-12036
📋 TL;DR
Baxter PrismaFlex and PrisMax medical devices transmit patient treatment data without encryption when configured to send to PDMS or EMR systems. This allows attackers to intercept and observe sensitive medical information. All users of affected devices are vulnerable when using unencrypted data transmission.
💻 Affected Systems
- Baxter PrismaFlex
- Baxter PrisMax
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and steal sensitive patient medical data including treatment details, potentially leading to medical identity theft, privacy violations, and regulatory compliance failures.
Likely Case
Unauthorized observation of patient treatment data during transmission, compromising patient privacy and violating HIPAA/GDPR requirements.
If Mitigated
No data exposure when proper encryption is implemented or when devices are not configured to send data externally.
🎯 Exploit Status
Exploitation requires network access to intercept unencrypted traffic; no authentication needed to observe data in transit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PrisMax version 3.x
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsma-20-170-01
Restart Required: Yes
Instructions:
1. Contact Baxter for PrisMax 3.x upgrade. 2. For PrismaFlex, implement network-level encryption controls. 3. Follow vendor-specific update procedures for medical devices.
🔧 Temporary Workarounds
Network Segmentation and Encryption
allImplement network segmentation and use VPN or encrypted tunnels for all medical device communications
Disable External Data Transmission
allConfigure devices to not send treatment data to external PDMS/EMR systems until encryption is implemented
🧯 If You Can't Patch
- Implement network-level encryption (IPsec/VPN) between medical devices and receiving systems
- Isolate medical device network segments and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check device configuration to see if sending data to PDMS/EMR without encryption; use network monitoring to detect unencrypted medical data transmissionsCheck Version:
Check device display or management interface for PrisMax version informationVerify Fix Applied:
Verify PrisMax version is 3.x or higher; confirm all medical device network traffic is encrypted using TLS/SSL📡 Detection & Monitoring
Log Indicators:
- Unencrypted network connections from medical devices
- Failed encryption handshake attempts
Network Indicators:
- Plaintext medical data in network captures
- Unencrypted traffic on medical device network segments
SIEM Query:
source_ip IN (medical_device_ips) AND protocol = 'tcp' AND NOT (port = 443 OR port = 8443)