CVE-2022-38069

Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.2

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-22-244-01	Mitigation Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:contechealth:cms8000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:contechealth:cms8000:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-13 15:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-38069

Mitre link : CVE-2022-38069

CVE.ORG link : CVE-2022-38069

JSON object : View

Products Affected

contechealth

cms8000_firmware
cms8000

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2022-38069", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 0.9}]}, "published": "2022-09-13T15:15:08.777", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-244-01", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters"}, {"lang": "es", "value": "Se presentan m\u00faltiples credenciales predeterminadas globales en todos los dispositivos CMS8000 que, una vez expuestas, permiten a un actor de amenazas con acceso f\u00edsico moment\u00e1neo conseguir acceso privilegiado a cualquier dispositivo. El acceso con credenciales privilegiadas permite una extracci\u00f3n de informaci\u00f3n confidencial del paciente o la modificaci\u00f3n de los par\u00e1metros del dispositivo"}], "lastModified": "2022-09-14T22:51:01.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:contechealth:cms8000_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C197D62-6F35-4B87-A721-BDB696EA240F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:contechealth:cms8000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3A0CD9FA-68D7-4EEE-93A5-97275D84E2D3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}