Assessment
CFSE Consequence Paths assesses Baxter Life2000 hard-coded clinician credentials at CRITICAL — the worst of 2 risk paths (safety, authority). The dominant consequence is privileged account or control authority.
Vulnerability
Baxter Life2000 hard-coded clinician credentials. Reported attack vector: Local.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → HIGH
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:4/EX:2/PH:3/DP:3/AT:3/CH:4/SR:4/SX:2/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=2 (reachability-bound) · bands PH=HIGH · DP=HIGH · AT=HIGH → base HIGH · uplift recall-class recovery → assessed HIGH.
- Using the recovered clinician credential to log into a Life2000 ventilator and change therapy settings. RE:2 requires local/serial proximity to the target device to apply the privileges. EC:4 once authenticated, changing settings is the device’s normal trivial workflow. AT:3 clinician-level control of therapy settings is service/command authority modifying device operation (not root-of-trust, so not 4). PH:3 altering ventilator therapy settings reduces safety margins / can cause unsafe therapy on a life-support device; credible harm but mediated by needing local access and clinical oversight, so 3 rather than 4. DP:3 sensitive operational/therapy state. CH:4 / boundary_crossing: crosses credential->device->physical/safety domains. SR:4 same shared hard-coded credential. SX:2 per-device, requires local/serial proximity. OR:4 unfixable secret without firmware update -> recovery_needs_fleet_action.
- perception_feeds_action — false: this is direct actuation control, not manipulated perception driving action. EV:2 report-backed, PATCH_AVAILABLE.
ACCOUNT_AUTHORITY → CRITICAL
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:3/EC:4/EX:3/PH:3/DP:3/AT:2/CH:4/SR:4/SX:3/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=3 (reachability-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · uplift recall-class recovery → assessed CRITICAL.
Hard-coded Clinician / Serial-Number Clinician passwords extracted from device firmware (RE:3 attacker uses own device/firmware copy, no victim hardware needed; AV:L but extractable from any unit). Extraction is straightforward once firmware/device available (EC:4). AT:2 because it grants a bounded clinician-level account, not admin/root/signing authority. DP:3 credential exposure. CH:4 / boundary_crossing: the recovered shared secret bridges from device-extraction to a reusable authority across the fleet. SR:4 the credential is shared/hard-coded across the entire fleet (portable secret). SX:3 reusable deployment-wide but each device still needs local/serial access to apply. OR:4 a hard-coded secret cannot be rotated without firmware update across the fleet -> recovery_needs_fleet_action. EV:2 report-backed.
Published baseline
- v3.1 9.3 CRITICAL —
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — Baxter/Product Security via NVD
The published baseline above is retained for source review. Paths decomposes the consequence into authority, perception, safety, scale, and recoverability paths rather than using the baseline score as the primary registry frame.
Sources