CVE-2015-3459 Detail Current Description The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.

View Analysis Description Analysis Description The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands. Severity CVSS Version 3.x CVSS Version 2.0



CVSS 3.x Severity and Metrics:

NIST: NVD Base Score: N/A NVD score not yet provided. CVSS 2.0 Severity and Metrics:



NIST: NVD Base Score: 10.0 HIGH Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) Weakness Enumeration CWE-ID CWE Name Source CWE-264 Permissions, Privileges, and Access Controls NIST Known Affected Software Configurations Switch to CPE 2.2 CPEs loading, please wait. Denotes Vulnerable Software

Are we missing a CPE here? Please let us know.

Change History 7 change records found show changes Modified Analysis 1/03/2017 2:16:30 PM Action Type Old Value New Value Changed Reference Type http://hextechsecurity.com/?p=123 No Types Assigned



http://hextechsecurity.com/?p=123 Broken Link



Changed Reference Type http://imgur.com/CEAnZjj No Types Assigned



http://imgur.com/CEAnZjj Not Applicable



Changed Reference Type http://imgur.com/JHiWSqd No Types Assigned



http://imgur.com/JHiWSqd Not Applicable



Changed Reference Type http://www.securityfocus.com/bid/74414 No Types Assigned



http://www.securityfocus.com/bid/74414 Third Party Advisory, VDB Entry



Changed Reference Type https://twitter.com/dyngnosis/status/592671049487142913 No Types Assigned



https://twitter.com/dyngnosis/status/592671049487142913 Press/Media Coverage



Changed Reference Type https://twitter.com/dyngnosis/status/592743461977219072 No Types Assigned



https://twitter.com/dyngnosis/status/592743461977219072 Press/Media Coverage



CVE Modified by MITRE 1/02/2017 10:0:01 PM Action Type Old Value New Value Added Reference http://www.securityfocus.com/bid/74414 [No Types Assigned]



CVE Translated 2/17/2016 2:45:00 PM Action Type Old Value New Value Added Translation El módulo de comunicación en el Hospira LifeCare PCA Infusion System en versiones anteriores a 7.0 no requiere autenticación para sesiones TELNET root, lo que permite a atacantes remotos modificar la configuración de la bomba a través de comandos no especificados.



Removed Translation La bomba de infusión de Hospira Lifecare PCA funcionado con 'SW ver 412' no requiere autenticación para las sesiones Telnet, lo que permite a atacantes remotos ganar privilegios root a través de un puerto TCP 23.



Modified Analysis 7/13/2015 3:36:17 PM Action Type Old Value New Value Changed CPE Configuration Configuration 1 AND OR *cpe:2.3:o:hospira:lifecare_pcainfusion_pump_firmware:412:*:*:*:*:*:*:* OR cpe:2.3:h:hospira:lifecare_pcainfusion_pump:*:*:*:*:*:*:*:*



Configuration 1 AND OR *cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:5.0:*:*:*:*:*:*:* (and previous) OR *cpe:2.3:h:hospira:lifecare_pca5:-:*:*:*:*:*:*:* *cpe:2.3:h:hospira:lifecare_pca3:-:*:*:*:*:*:*:*



Changed Reference Type http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm US Govt Resource



http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm Advisory, US Govt Resource



Changed Reference Type https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01 US Govt Resource



https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01 Advisory, US Govt Resource



CVE Modified by Source 7/08/2015 9:59:06 PM Action Type Old Value New Value Changed Description Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.



The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.



Added Reference http://hextechsecurity.com/?p=123



Added Reference http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm



Added Reference https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01



Modified Analysis 4/30/2015 2:56:34 PM Action Type Old Value New Value Added CPE Configuration Configuration 1 AND OR *cpe:2.3:o:hospira:lifecare_pcainfusion_pump_firmware:412:*:*:*:*:*:*:* OR cpe:2.3:h:hospira:lifecare_pcainfusion_pump:*:*:*:*:*:*:*:*



Added CVSS V2 (AV:N/AC:L/Au:N/C:C/I:C/A:C)



Added CWE CWE-264



Initial CVE Analysis 4/30/2015 2:6:05 PM Action Type Old Value New Value Quick Info CVE Dictionary Entry:

CVE-2015-3459

NVD Published Date:

04/29/2015

NVD Last Modified:

01/03/2017

Source:

MITRE

