Vulnerability Details : CVE-2015-3459
The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.
Products affected by CVE-2015-3459
- cpe:2.3:h:hospira:lifecare_pca5:-:*:*:*:*:*:*:*
- cpe:2.3:h:hospira:lifecare_pca3:-:*:*:*:*:*:*:*
- cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-3459
2.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3459
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2015-3459
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3459
-
https://twitter.com/dyngnosis/status/592743461977219072
dyngnosis on Twitter: "@SushiDude @XSSniper @scotterven @WIRED Hospira "Lifecare PCA Drug Infusion Pump" http://t.co/JjAVF3J9KO SW ver 412 http://t.co/rSS0gqtfby"Press/Media Coverage
-
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
Page Not Found | FDAThird Party Advisory;US Government Resource
-
http://imgur.com/CEAnZjj
Imgur: The magic of the InternetNot Applicable
-
https://twitter.com/dyngnosis/status/592671049487142913
dyngnosis on Twitter: "Don't buy a Hospira PCA drug pump to do security stuff. Busybx no passwd shell on 23, no-auth CGIs, also never hook it up to a human being"Press/Media Coverage
-
http://www.securityfocus.com/bid/74414
Hospira Lifecare PCA Infusion Pump CVE-2015-3459 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
Access Denied | CISAThird Party Advisory;US Government Resource
-
http://imgur.com/JHiWSqd
Imgur: The magic of the InternetNot Applicable
Jump to