Vulnerability CVE-2015-3956


Published: 2019-03-25

Description:
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Pifzer -> Plum a+3 infusion system firmware 
Pifzer -> Plum a+ infusion system firmware 
Pifzer -> Symbiq infusion system firmware 

 References:
https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01

Copyright 2020, cxsecurity.com

 

Back to Top