Details of VAR-201702-0856

ID

VAR-201702-0856

CVE

CVE-2016-9355

TITLE

Alaris 8015 PC unit Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62 // CNVD: CNVD-2017-01600

DESCRIPTION

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. The Alaris 8015 PC unit is the heart of the Alaris System, a US company's BD that provides a user-common interface for programming intravenous infusions. An information disclosure vulnerability exists in the Alaris 8015 PC unit. Attackers can exploit vulnerabilities to obtain sensitive information and launch further attacks

Trust: 2.61

sources: NVD: CVE-2016-9355 // JVNDB: JVNDB-2016-008012 // CNVD: CNVD-2017-01600 // BID: 96116 // IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62 // CNVD: CNVD-2017-01600

AFFECTED PRODUCTS

vendor:	bd	model:	alaris 8015 pc unit	scope:	eq	version:	9.7	Trust: 1.6
vendor:	bd	model:	alaris 8015 pc unit	scope:	lte	version:	9.5	Trust: 1.0
vendor:	bd	model:	alaris pc unit	scope:	eq	version:	80159.5	Trust: 0.9
vendor:	bd	model:	alaris pc unit	scope:	eq	version:	80159.4	Trust: 0.9
vendor:	becton dickinson and bd	model:	alaris 8015 pc unit	scope:	lte	version:	9.5	Trust: 0.8
vendor:	becton dickinson and bd	model:	alaris 8015 pc unit	scope:	eq	version:	9.7	Trust: 0.8
vendor:	bd	model:	alaris 8015 pc unit	scope:	eq	version:	9.5	Trust: 0.6
vendor:	alaris 8015 pc unit	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	alaris 8015 pc unit	model:	-	scope:	eq	version:	9.7	Trust: 0.2

sources: IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62 // CNVD: CNVD-2017-01600 // BID: 96116 // JVNDB: JVNDB-2016-008012 // NVD: CVE-2016-9355 // CNNVD: CNNVD-201702-382

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2016-9355
value:	MEDIUM
Trust: 1.8
CNVD:	CNVD-2017-01600
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201702-382
value:	LOW
Trust: 0.6
IVD:	4f54f6b1-67a9-4779-969f-14d9021c9a62
value:	LOW
Trust: 0.2

NVD:
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2016-9355
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2017-01600
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	4f54f6b1-67a9-4779-969f-14d9021c9a62
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

NVD:
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	4.0
version:	3.0
Trust: 1.0
NVD:	CVE-2016-9355
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62 // CNVD: CNVD-2017-01600 // JVNDB: JVNDB-2016-008012 // NVD: CVE-2016-9355 // CNNVD: CNNVD-201702-382

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2016-008012 // NVD: CVE-2016-9355

THREAT TYPE

local

Trust: 0.9

sources: BID: 96116 // CNNVD: CNNVD-201702-382

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201702-382

CONFIGURATIONS

sources: NVD: CVE-2016-9355

PATCH

title:

Alaris PC unit

url:

http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit

Trust: 0.8

sources: JVNDB: JVNDB-2016-008012

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9355	Trust: 3.5
db:	ICS CERT	id:	ICSMA-17-017-02	Trust: 2.5
db:	BID	id:	96116	Trust: 1.9
db:	CNVD	id:	CNVD-2017-01600	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-382	Trust: 0.8
db:	ICS CERT	id:	ICSMA-17-017-02A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-008012	Trust: 0.8
db:	IVD	id:	4F54F6B1-67A9-4779-969F-14D9021C9A62	Trust: 0.2

sources: IVD: 4f54f6b1-67a9-4779-969f-14d9021c9a62 // CNVD: CNVD-2017-01600 // BID: 96116 // JVNDB: JVNDB-2016-008012 // NVD: CVE-2016-9355 // CNNVD: CNNVD-201702-382

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-17-017-02	Trust: 1.9
url:	http://www.securityfocus.com/bid/96116	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9355	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsma-17-017-02a	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9355	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02	Trust: 0.6
url:	http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit	Trust: 0.3

sources: CNVD: CNVD-2017-01600 // BID: 96116 // JVNDB: JVNDB-2016-008012 // NVD: CVE-2016-9355 // CNNVD: CNNVD-201702-382

CREDITS

Dickinson and Company (BD),Becton

Trust: 0.6

sources: CNNVD: CNNVD-201702-382

SOURCES

db:	IVD	id:	4f54f6b1-67a9-4779-969f-14d9021c9a62
db:	CNVD	id:	CNVD-2017-01600
db:	BID	id:	96116
db:	JVNDB	id:	JVNDB-2016-008012
db:	NVD	id:	CVE-2016-9355
db:	CNNVD	id:	CNNVD-201702-382

LAST UPDATE DATE

2023-12-18T12:51:24.613000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-01600	date:	2017-02-20T00:00:00
db:	BID	id:	96116	date:	2017-03-07T04:01:00
db:	JVNDB	id:	JVNDB-2016-008012	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2016-9355	date:	2017-03-16T17:08:35.180
db:	CNNVD	id:	CNNVD-201702-382	date:	2021-03-17T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	4f54f6b1-67a9-4779-969f-14d9021c9a62	date:	2017-02-20T00:00:00
db:	CNVD	id:	CNVD-2017-01600	date:	2017-02-20T00:00:00
db:	BID	id:	96116	date:	2017-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2016-008012	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2016-9355	date:	2017-02-13T22:59:00.240
db:	CNNVD	id:	CNNVD-201702-382	date:	2017-02-13T00:00:00