Sign-up

ID

VAR-201802-0482


CVE

CVE-2017-12723


TITLE

Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Information Disclosure Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012527

DESCRIPTION

A Password in Configuration File issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump stores some passwords in the configuration file, which are accessible if the pump is configured to allow external communications. A buffer-overflow vulnerability 2. A denial-of-service vulnerability 3. An access-bypass vulnerability 4. Multiple security-bypass vulnerabilities Attackers can exploit these issues to execute arbitrary code within the context of affected device, cause a denial-of-service condition, bypass certain security restrictions, or gain unauthorized access to the device and perform unauthorized actions. This may lead to complete compromise of the device

Trust: 2.7

sources: NVD: CVE-2017-12723 // JVNDB: JVNDB-2017-012527 // CNVD: CNVD-2017-25716 // BID: 100665 // IVD: 22078698-2afd-4d64-af1d-aac60ea533bd // VULHUB: VHN-103274

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 22078698-2afd-4d64-af1d-aac60ea533bd // CNVD: CNVD-2017-25716

AFFECTED PRODUCTS

vendor:smiths medicalmodel:medfusion 4000 wireless syringe infusion pumpscope:eqversion:1.1

Trust: 2.4

vendor:smiths medicalmodel:medfusion 4000 wireless syringe infusion pumpscope:eqversion:1.5

Trust: 2.4

vendor:smiths medicalmodel:medfusion 4000 wireless syringe infusion pumpscope:eqversion:1.6

Trust: 2.4

vendor:smithsmodel:medical medfusion wireless syringe infusion pumpscope:eqversion:40001.1

Trust: 0.6

vendor:smithsmodel:medical medfusion wireless syringe infusion pumpscope:eqversion:40001.5

Trust: 0.6

vendor:smithsmodel:medical medfusion wireless syringe infusion pumpscope:eqversion:40001.6

Trust: 0.6

vendor:smiths medicalmodel:medfusion wireless syringe infusion pumpscope:eqversion:40001.6

Trust: 0.3

vendor:smiths medicalmodel:medfusion wireless syringe infusion pumpscope:eqversion:40001.5

Trust: 0.3

vendor:smiths medicalmodel:medfusion wireless syringe infusion pumpscope:eqversion:40001.1

Trust: 0.3

vendor:medfusion 4000 syringe infusion pumpmodel: - scope:eqversion:1.1

Trust: 0.2

vendor:medfusion 4000 syringe infusion pumpmodel: - scope:eqversion:1.5

Trust: 0.2

vendor:medfusion 4000 syringe infusion pumpmodel: - scope:eqversion:1.6

Trust: 0.2

sources: IVD: 22078698-2afd-4d64-af1d-aac60ea533bd // CNVD: CNVD-2017-25716 // BID: 100665 // JVNDB: JVNDB-2017-012527 // CNNVD: CNNVD-201709-526 // NVD: CVE-2017-12723

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12723
value: LOW

Trust: 1.0

NVD: CVE-2017-12723
value: LOW

Trust: 0.8

CNVD: CNVD-2017-25716
value: LOW

Trust: 0.6

CNNVD: CNNVD-201709-526
value: MEDIUM

Trust: 0.6

IVD: 22078698-2afd-4d64-af1d-aac60ea533bd
value: MEDIUM

Trust: 0.2

VULHUB: VHN-103274
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12723
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-25716
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 22078698-2afd-4d64-af1d-aac60ea533bd
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-103274
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12723
baseSeverity: LOW
baseScore: 3.7
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: IVD: 22078698-2afd-4d64-af1d-aac60ea533bd // CNVD: CNVD-2017-25716 // VULHUB: VHN-103274 // JVNDB: JVNDB-2017-012527 // CNNVD: CNNVD-201709-526 // NVD: CVE-2017-12723

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-103274 // JVNDB: JVNDB-2017-012527 // NVD: CVE-2017-12723

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-526

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201709-526

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012527

PATCH
title:Medfusion 4000 Wireless Syringe Infusion Pumpurl:https://www.smiths-medical.com/products/infusion/syringe-infusion/syringe-infusion-pumps/medfusion-4000-wireless-syringe-infusion-pump
Trust: 0.8
title:Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Password Disclosure Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/101780
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-25716 // 
            
            
            
            JVNDB: JVNDB-2017-012527

EXTERNAL IDS
db:NVDid:CVE-2017-12723
Trust: 3.6
db:ICS CERTid:ICSMA-17-250-02A
Trust: 2.5
db:BIDid:100665
Trust: 2.0
db:CNNVDid:CNNVD-201709-526
Trust: 0.9
db:ICS CERTid:ICSMA-17-250-02
Trust: 0.9
db:CNVDid:CNVD-2017-25716
Trust: 0.8
db:JVNDBid:JVNDB-2017-012527
Trust: 0.8
db:IVDid:22078698-2AFD-4D64-AF1D-AAC60EA533BD
Trust: 0.2
db:VULHUBid:VHN-103274
Trust: 0.1
sources:
            
            
            IVD: 22078698-2afd-4d64-af1d-aac60ea533bd // 
            
            
            
            CNVD: CNVD-2017-25716 // 
            
            
            
            VULHUB: VHN-103274 // 
            
            
            
            BID: 100665 // 
            
            
            
            JVNDB: JVNDB-2017-012527 // 
            
            
            
            CNNVD: CNNVD-201709-526 // 
            
            
            
            NVD: CVE-2017-12723

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsma-17-250-02a
Trust: 2.5
url:http://www.securityfocus.com/bid/100665
Trust: 1.7
url:https://ics-cert.us-cert.gov/advisories/icsma-17-250-02
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12723
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12723
Trust: 0.8
url:https://www.smiths-medical.com/products/infusion/syringe-infusion/syringe-infusion-pumps/medfusion-4000-wireless-syringe-infusion-pump
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-25716 // 
            
            
            
            VULHUB: VHN-103274 // 
            
            
            
            BID: 100665 // 
            
            
            
            JVNDB: JVNDB-2017-012527 // 
            
            
            
            CNNVD: CNNVD-201709-526 // 
            
            
            
            NVD: CVE-2017-12723

CREDITS
Scott Gayou
Trust: 0.9
sources:
            
            
            BID: 100665 // 
            
            
            
            CNNVD: CNNVD-201709-526

SOURCES
db:IVDid:22078698-2afd-4d64-af1d-aac60ea533bd
db:CNVDid:CNVD-2017-25716
db:VULHUBid:VHN-103274
db:BIDid:100665
db:JVNDBid:JVNDB-2017-012527
db:CNNVDid:CNNVD-201709-526
db:NVDid:CVE-2017-12723

LAST UPDATE DATE
2024-11-23T22:22:14.019000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-25716date:2017-09-08T00:00:00
db:VULHUBid:VHN-103274date:2018-03-02T00:00:00
db:BIDid:100665date:2017-09-07T00:00:00
db:JVNDBid:JVNDB-2017-012527date:2018-03-19T00:00:00
db:CNNVDid:CNNVD-201709-526date:2018-08-23T00:00:00
db:NVDid:CVE-2017-12723date:2024-11-21T03:10:05.950

SOURCES RELEASE DATE
db:IVDid:22078698-2afd-4d64-af1d-aac60ea533bddate:2017-09-08T00:00:00
db:CNVDid:CNVD-2017-25716date:2017-09-08T00:00:00
db:VULHUBid:VHN-103274date:2018-02-15T00:00:00
db:BIDid:100665date:2017-09-07T00:00:00
db:JVNDBid:JVNDB-2017-012527date:2018-03-19T00:00:00
db:CNNVDid:CNNVD-201709-526date:2017-09-18T00:00:00
db:NVDid:CVE-2017-12723date:2018-02-15T10:29:00.430