Vulnerability CVE-2015-3459
Published: 2015-04-29   Modified: 2015-04-30

Description:
The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Hospira -> Lifecare pcainfusion pump firmware 
Hospira -> Lifecare pca3 
Hospira -> Lifecare pca5 
Hospira -> Lifecare pcainfusion firmware 

 References:
http://imgur.com/CEAnZjj
http://imgur.com/JHiWSqd
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
http://www.securityfocus.com/bid/74414
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
https://twitter.com/dyngnosis/status/592671049487142913
https://twitter.com/dyngnosis/status/592743461977219072
Copyright 2024, cxsecurity.com

 

Back to Top