CVE-2014-5406

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm	Third Party Advisory US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01	Third Party Advisory US Government Resource
https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:hospira:lifecare_pca5:-:::::::*
	cpe:2.3:h:hospira:lifecare_pca3:-:::::::*

Information

Published : 2015-07-06 12:59

Updated : 2015-07-08 08:18

NVD link : CVE-2014-5406

Mitre link : CVE-2014-5406

JSON object : View

CWE

CWE-345

Insufficient Verification of Data Authenticity

Advertisement

Products Affected

hospira

lifecare_pcainfusion_firmware
lifecare_pca5
lifecare_pca3

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm", "name": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01", "name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}, {"url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/", "name": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/", "tags": [], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-345"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-5406", "ASSIGNER": "ics-cert@hq.dhs.gov"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-07-06T19:59Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:hospira:lifecare_pca5:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:hospira:lifecare_pca3:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2015-07-08T15:18Z"}