CVE-2015-3459 — HIGH (10.0)

Q: How severe is CVE-2015-3459?

CVE-2015-3459 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-3459?

Check the references section above for vendor advisories and patch information. Affected products include: Hospira Lifecare Pcainfusion Firmware, Hospira Lifecare Pca3, Hospira Lifecare Pca5.

Vulnerability Description

The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.

CVSS Score

10.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Hospira	Lifecare Pcainfusion Firmware	<= 5.0
Hospira	Lifecare Pca3	-
Hospira	Lifecare Pca5	-

Related Weaknesses (CWE)

CWE-264

References

http://hextechsecurity.com/?p=123Broken Link
http://imgur.com/CEAnZjjNot Applicable
http://imgur.com/JHiWSqdNot Applicable
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmThird Party AdvisoryUS Government Resource
http://www.securityfocus.com/bid/74414Third Party AdvisoryVDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01Third Party AdvisoryUS Government Resource
https://twitter.com/dyngnosis/status/592671049487142913Press/Media Coverage
https://twitter.com/dyngnosis/status/592743461977219072Press/Media Coverage
http://hextechsecurity.com/?p=123Broken Link
http://imgur.com/CEAnZjjNot Applicable
http://imgur.com/JHiWSqdNot Applicable
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmThird Party AdvisoryUS Government Resource
http://www.securityfocus.com/bid/74414Third Party AdvisoryVDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01Third Party AdvisoryUS Government Resource
https://twitter.com/dyngnosis/status/592671049487142913Press/Media Coverage

FAQ

What is CVE-2015-3459?

CVE-2015-3459 is a vulnerability with a CVSS score of 10.0 (HIGH). The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration...

How severe is CVE-2015-3459?

CVE-2015-3459 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3459?

Check the references section above for vendor advisories and patch information. Affected products include: Hospira Lifecare Pcainfusion Firmware, Hospira Lifecare Pca3, Hospira Lifecare Pca5.