CVE-2024-48970 – Life2000 Ventilator microcontroller lacks memory protection
https://notcve.org/view.php?id=CVE-2024-48970
An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01 • CWE-1191: On-Chip Debug and Test Interface With Improper Access Control •
CVE-2024-48974 – Life2000 Ventilator does not perform proper file integrity checks when adopting firmware updates
https://notcve.org/view.php?id=CVE-2024-48974
This could disrupt the function of the device and/or cause unauthorized information disclosure. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01 • CWE-494: Download of Code Without Integrity Check •
CVE-2024-48973 – Debug port on Life2000 Ventilator serial interface is enabled by default
https://notcve.org/view.php?id=CVE-2024-48973
This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01 • CWE-1263: Improper Physical Access Control •
CVE-2024-9832 – No limit on failed login attempts with Clinician Password or Serial Number Clinician Password on Life2000 Ventilator
https://notcve.org/view.php?id=CVE-2024-9832
An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2024-9834 – Improper data protection on Life2000 ventilator serial interface
https://notcve.org/view.php?id=CVE-2024-9834
Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance. • https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01 • CWE-319: Cleartext Transmission of Sensitive Information •