Details of VAR-201507-0461

ID

VAR-201507-0461

CVE

CVE-2014-5406

TITLE

Hospira LifeCare PCA Infusion System Vulnerabilities whose settings are changed

Trust: 0.8

sources: JVNDB: JVNDB-2014-008092

DESCRIPTION

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459. This vulnerability CVE-2015-3459 And may be duplicated. Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. Hospira LifeCare PCA Infusion System is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. Hospira LifeCare PCA Infusion System 5.0 and prior versions are vulnerable

Trust: 2.07

sources: NVD: CVE-2014-5406 // JVNDB: JVNDB-2014-008092 // BID: 74476 // VULHUB: VHN-73347 // VULMON: CVE-2014-5406

AFFECTED PRODUCTS

vendor:	hospira	model:	lifecare pcainfusion	scope:	lte	version:	5.0	Trust: 1.0
vendor:	hospira	model:	lifecare pca infusion system	scope:	lt	version:	7.0	Trust: 0.8
vendor:	hospira	model:	lifecare pca3	scope:	-	version:	-	Trust: 0.8
vendor:	hospira	model:	lifecare pca5	scope:	-	version:	-	Trust: 0.8
vendor:	hospira	model:	lifecare pcainfusion	scope:	eq	version:	5.0	Trust: 0.6

sources: JVNDB: JVNDB-2014-008092 // CNNVD: CNNVD-201505-299 // NVD: CVE-2014-5406

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-5406
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-5406
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201505-299
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-73347
value:	HIGH
Trust: 0.1
VULMON:	CVE-2014-5406
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-5406
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-73347
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-73347 // VULMON: CVE-2014-5406 // JVNDB: JVNDB-2014-008092 // CNNVD: CNNVD-201505-299 // NVD: CVE-2014-5406

PROBLEMTYPE DATA

problemtype:	CWE-345	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-73347 // JVNDB: JVNDB-2014-008092 // NVD: CVE-2014-5406

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-299

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201505-299

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-008092

PATCH

title:

LifeCare PCA Infusion System

url:

http://www.hospira.com/en/products_and_services/infusion_pumps/Lifecare/

Trust: 0.8

sources: JVNDB: JVNDB-2014-008092

EXTERNAL IDS

db:	NVD	id:	CVE-2014-5406	Trust: 2.9
db:	ICS CERT	id:	ICSA-15-125-01	Trust: 1.8
db:	BID	id:	74476	Trust: 1.1
db:	ICS CERT	id:	ICSA-15-125-01B	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-008092	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-299	Trust: 0.7
db:	VULHUB	id:	VHN-73347	Trust: 0.1
db:	VULMON	id:	CVE-2014-5406	Trust: 0.1

sources: VULHUB: VHN-73347 // VULMON: CVE-2014-5406 // BID: 74476 // JVNDB: JVNDB-2014-008092 // CNNVD: CNNVD-201505-299 // NVD: CVE-2014-5406

REFERENCES

url:	http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm446809.htm	Trust: 2.6
url:	https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/	Trust: 2.6
url:	https://ics-cert.us-cert.gov/advisories/icsa-15-125-01	Trust: 1.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-15-125-01b	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5406	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5406	Trust: 0.8
url:	http://www.securityfocus.com/bid/74476	Trust: 0.7
url:	https://cwe.mitre.org/data/definitions/345.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-73347 // VULMON: CVE-2014-5406 // JVNDB: JVNDB-2014-008092 // CNNVD: CNNVD-201505-299 // NVD: CVE-2014-5406

CREDITS

Billy Rios

Trust: 0.9

sources: BID: 74476 // CNNVD: CNNVD-201505-299

SOURCES

db:	VULHUB	id:	VHN-73347
db:	VULMON	id:	CVE-2014-5406
db:	BID	id:	74476
db:	JVNDB	id:	JVNDB-2014-008092
db:	CNNVD	id:	CNNVD-201505-299
db:	NVD	id:	CVE-2014-5406

LAST UPDATE DATE

2025-04-13T23:09:18.806000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-73347	date:	2015-07-08T00:00:00
db:	VULMON	id:	CVE-2014-5406	date:	2015-07-08T00:00:00
db:	BID	id:	74476	date:	2015-07-15T00:29:00
db:	JVNDB	id:	JVNDB-2014-008092	date:	2015-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201505-299	date:	2015-07-07T00:00:00
db:	NVD	id:	CVE-2014-5406	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-73347	date:	2015-07-06T00:00:00
db:	VULMON	id:	CVE-2014-5406	date:	2015-07-06T00:00:00
db:	BID	id:	74476	date:	2015-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2014-008092	date:	2015-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201505-299	date:	2015-05-18T00:00:00
db:	NVD	id:	CVE-2014-5406	date:	2015-07-06T19:59:00.097