CVE-2015-3956

Published Mar 25, 2019

Last updated 5 years ago

CVSS critical 9.8

Overview

Description: Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
Source: ics-cert@hq.dhs.gov
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 10
Impact score: 10
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-345
ics-cert@hq.dhs.gov: CWE-345

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:pifzer:plum_a\\+_infusion_system_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "61C1A9DD-F143-4D0C-871C-B6CD7AF9DAB2",
            "versionEndIncluding": "13.4"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:pifzer:plum_a\\+_infusion_system:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "1DB2490B-0318-4770-BF45-CD7527F15D7F"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:pifzer:plum_a\\+3_infusion_system_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8536E705-89E8-47CB-9567-6AD65FBA0F1B",
            "versionEndIncluding": "13.6"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:pifzer:plum_a\\+3_infusion_system:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "423AA561-8E38-4378-814B-1008B96F27A6"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:pifzer:symbiq_infusion_system_firmware:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C6DD5141-72AB-4694-8595-B4BED8EC7773",
            "versionEndIncluding": "3.13"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:pifzer:symbiq_infusion_system:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "5C295E1A-BF60-476D-B972-5C5C28D7633B"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References