Vulnerability Details CVE-2015-3459
The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.169
EPSS Ranking 94.6%
CVSS Severity
CVSS v2 Score 10.0
References
- http://hextechsecurity.com/?p=123
- http://imgur.com/CEAnZjj
- http://imgur.com/JHiWSqd
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
- http://www.securityfocus.com/bid/74414
- https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
- https://twitter.com/dyngnosis/status/592671049487142913
- https://twitter.com/dyngnosis/status/592743461977219072
- http://hextechsecurity.com/?p=123
- http://imgur.com/CEAnZjj
- http://imgur.com/JHiWSqd
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
- http://www.securityfocus.com/bid/74414
- https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
- https://twitter.com/dyngnosis/status/592671049487142913
- https://twitter.com/dyngnosis/status/592743461977219072
Products affected by CVE-2015-3459
-
cpe:2.3:h:hospira:lifecare_pca3:-
-
cpe:2.3:h:hospira:lifecare_pca5:-
-
cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:5.0