Vulnerability Description
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hospira | Lifecare Pcainfusion Firmware | <= 5.0 |
| Hospira | Lifecare Pca3 | - |
| Hospira | Lifecare Pca5 | - |
Related Weaknesses (CWE)
References
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmThird Party AdvisoryUS Government Resource
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-12
- https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01
- https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabiliti
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmThird Party AdvisoryUS Government Resource
- https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01Third Party AdvisoryUS Government Resource
- https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabiliti
FAQ
What is CVE-2014-5406?
CVE-2014-5406 is a vulnerability with a CVSS score of 7.6 (HIGH). The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote ...
How severe is CVE-2014-5406?
CVE-2014-5406 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5406?
Check the references section above for vendor advisories and patch information. Affected products include: Hospira Lifecare Pcainfusion Firmware, Hospira Lifecare Pca3, Hospira Lifecare Pca5.