Title | Project 1 - Vulnerability Memo |
---|---|
Author | Aaron Henry |
Course | Introduction to the U.S. Health Care Sector |
Institution | University of Maryland Global Campus |
Pages | 3 |
File Size | 172.4 KB |
File Type | |
Total Downloads | 66 |
Total Views | 152 |
memo...
Memo To:
Andrew Humes
From Aaron Henry : Date: October 10, 2020 Re: Vulnerability Report
The intent of this memorandum is to address, inform, and provide recommendations on proper mitigation steps required to correcting exploits that have been readily identified within Iot/ IoTM devices. It is the goal of this correspondence to provide detailed and informative resolutions to these devices with known exploits and to be able to make an educated security driven decision to that will strengthen security measures within this facility as to reduce exploits, vulnerabilities and weaknesses. Device 1: [NETGEAR WC7500/WC7600/WC7600v2/WC9500]
Product Description As Wireless networking continues to provide a desire to be connected anytime, anywhere a through a plethora of devices. NETGEAR Wireless Controller offer users just the means. The device enables wireless users the ability to seamlessly roam while continuously connected to an associated IT network. This device also has the capability to protect against intruders via advanced wireless rogue AP detection algorithms. The NETGEAR can also segment guest and corporate access with multiple SSIDs, Guest Captive Portal, and standard based VLAN configurations.
Vulnerability Memo
Page 3 of 3
CVE-2020-26931 - NETGEAR Wireless Controllers are affected by disclosure of sensitive information. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. Upgrading to version 6.5.5.24 eliminates this vulnerability. Recommendation - Currently NETGEAR has released a firmware update for the above mentioned wireless device(s). This current update will alleviate the known vulnerability within the listed device(s). Decision - Until all wireless controllers have been properly updated with the latest firmware, it is in the best decision to remove all wireless devices. Once firmware (version 6.5.5.24) has been downloaded and verified as up to date, the facility is free to re-install the wireless controllers for use within the facility.
Device 2: [Baxter PrismaFlex]
Product Description The Baxter PrismaFlex a system designed to treat and meet the needs of critically ill patients with acute kidney injury (AKI). The PRISMAFLEX System has the ability to pump blood from the patient through a filter and back to the patient. As the blood passes through the filter, the desired treatment processes take place. The Baxter PrismaFlex has the ability to maintain metabolic control, increase fluid removal Acid/base control, and provide Electrolyte balance. CVE-2020-12036 – It has been discovered that the Baxter PrismaFlex (all versions) has a vulnerability that does do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to the PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker would have the ability to observe sensitive data sent from the device. Recommendation - This report recommends the facility completes the following actions to reduce risk and compensate controls. Ensure physical controls within user’s facility to protect against unauthorized access are implemented. This may minimize those who do not possess the appropriate level of access, need-to-know, or clearance. Ensure all passwords are kept safe and secure either in an approved safe or off site location. The device should be used only in accordance with its intended use and not for email, Internet access, file sharing, or other nonapproved use. No software of any kind should be installed on the device unless approved, in writing, by Baxter. Decision - It is in the best decision of this facility that all Baxter PrismaFlex devices be removed and banned from use until a product can be procured that produces less exploits and vulnerabilities. Utilizing this device could result in the compromise of patient information through various. Have this type of leak of PHI violates various HIPPA agreements and may cause local and federal ramifications with some punitive in nature.
Vulnerability Memo
Page 3 of 3
Works Cited Security Advisory for Sensitive Information Disclosure on Some Wireless Controllers, PSV-20200268. (2020, October 3). https://kb.netgear.com/000062321/Security-Advisory-forSensitive-Information-Disclosure-on-Some-Wireless-Controllers-PSV-2020-0268. Wireless Management. NETGEAR. https://www.netgear.com/business/products/wireless/wirelessmanagement/. CVE-2020-26931. CVE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26931. Prismaflex System for Critical Care. Baxter. https://www.baxter.com/healthcareprofessionals/critical-care/prismaflex-system-critical-care. Whooley, S. (2020, June 19). Baxter systems flagged for cybersecurity vulnerabilities. MassDevice. https://www.massdevice.com/baxter-systems-flagged-for-cybersecurityvulnerabilities/. CVE-2020-12036. CVE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12036....