Assessment
CFSE Consequence Paths assesses Baxter Life2000 internal JTAG flash R/W at CRITICAL — the worst of 2 risk paths (safety, authority). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Baxter Life2000 internal JTAG flash R/W. Reported attack vector: Local (should be Physical - internal header).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:1/EC:3/EX:1/PH:4/DP:3/AT:3/CH:3/SR:4/SX:1/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=1 (reachability-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · caps low-exposure cap → assessed CRITICAL.
- Writing flash lets the attacker modify control firmware on a life-support ventilator, enabling dangerous therapy alteration. RE:1 internal JTAG header requires opening the device, board-level access, per-device. EC:3 crafting a malicious firmware/control modification that actually alters therapy is a standard-but-deliberate researcher workflow beyond a raw flash dump. PH:4 credible serious injury/death from altered ventilator therapy / life-support failure. AT:3 control authority modifying firmware/command behavior of the device. DP:3 sensitive operational/firmware state. CH:3 chains physical access into safety actuation across boundaries. SR:4 the technique and any extracted secrets are reusable across the model. SX:1 strictly per-device physical access. OR:4 persistent and hard to detect, needs field service; per-device so recovery_needs_fleet_action=false.
- perception_feeds_action — false (this is direct actuation control, not a perception channel feeding action). EV:2 report-backed. LS PATCH_AVAILABLE.
FIRMWARE_TRUST_ROOT → CRITICAL
CPATH:1.0-candidate/TT:FIRMWARE_TRUST_ROOT/RE:1/EC:4/EX:1/PH:4/DP:3/AT:4/CH:4/SR:4/SX:1/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=1 (reachability-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · caps low-exposure cap → assessed CRITICAL.
JTAG flash R/W on an MCU with no memory protection means the attacker can read and rewrite firmware, owning the device’s code-execution trust root and persisting through reflash/reboot. RE:1 because it requires opening the device and clipping onto an internal header (board access, per-device physical/invasive, not internet/proximity). EC:4 once attached JTAG read/write is single-tool commodity. AT:4 firmware R/W = control over the device’s root of trust/code execution. PH:3 firmware compromise can alter ventilator therapy behavior (safety-margin/therapy-control influence). DP:3 firmware/CSP exposure (proprietary/sensitive secrets). CH:4 a reusable cross-boundary bridge (physical->firmware->control) and the knowledge/secret extraction reuses across all units of the model. SR:4 firmware and any embedded keys/CSPs are portable across the model line. SX:1 each device must be physically opened. OR:4 persistent, hard to detect, requires field service to recover; but per-device service not a fleet/OTA-root rotation, so recovery_needs_fleet_action=false. EV:2 report-backed (CVE-2024-48970, no public reproduction). LS PATCH_AVAILABLE.
Published baseline
- v3.1 9.3 CRITICAL —
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — Baxter/Product Security via NVD
The published baseline above is retained for source review. Paths decomposes the consequence into authority, perception, safety, scale, and recoverability paths rather than using the baseline score as the primary registry frame.
Sources