Sign-up

ID

VAR-201903-0656


CVE

CVE-2015-3956


TITLE

plural Hospira Product Vulnerabilities related to insufficient validation of data reliability

Trust: 0.8

sources: JVNDB: JVNDB-2015-008250

DESCRIPTION

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue. Hospira Plum A+ Infusion System , Plum A+3 Infusion System , Symbiq Infusion System Contains vulnerabilities related to insufficient validation of data reliability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Hospira products are prone to multiple security-bypass vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. A security bypass vulnerability exists in several Hospira products. An issue in the Hospira Plum A+ and Symbiq Infusion Systems could allow an unauthenticated, remote malicious user to take complete control of a targeted system. The issue is due to insufficient verification of supplied data authenticity by the affected software. A successful exploit could result in a complete system compromise. ICS-CERT has confirmed the vulnerability; however, updated software is not available

Trust: 2.07

sources: NVD: CVE-2015-3956 // JVNDB: JVNDB-2015-008250 // BID: 75133 // VULHUB: VHN-81917 // VULMON: CVE-2015-3956

AFFECTED PRODUCTS

vendor:pifzermodel:plum a\+3 infusion systemscope:lteversion:13.6

Trust: 1.0

vendor:pifzermodel:plum a\+ infusion systemscope:lteversion:13.4

Trust: 1.0

vendor:pifzermodel:symbiq infusion systemscope:lteversion:3.13

Trust: 1.0

vendor:pfizermodel:symbiq infusion systemscope:lteversion:3.13

Trust: 0.8

vendor:hospiramodel:plum a+ infusion systemscope:lteversion:13.4

Trust: 0.8

vendor:hospiramodel:plum a+3 infusion systemscope:lteversion:13.6

Trust: 0.8

sources: JVNDB: JVNDB-2015-008250 // NVD: CVE-2015-3956

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3956
value: CRITICAL

Trust: 1.0

NVD: CVE-2015-3956
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201506-437
value: CRITICAL

Trust: 0.6

VULHUB: VHN-81917
value: HIGH

Trust: 0.1

VULMON: CVE-2015-3956
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-3956
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-81917
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-3956
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-81917 // VULMON: CVE-2015-3956 // JVNDB: JVNDB-2015-008250 // CNNVD: CNNVD-201506-437 // NVD: CVE-2015-3956

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.9

sources: VULHUB: VHN-81917 // JVNDB: JVNDB-2015-008250 // NVD: CVE-2015-3956

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201506-437

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201506-437

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-008250

PATCH
title:Top Pageurl:https://www.pfizer.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-008250

EXTERNAL IDS
db:NVDid:CVE-2015-3956
Trust: 2.9
db:ICS CERTid:ICSA-15-161-01
Trust: 2.6
db:JVNDBid:JVNDB-2015-008250
Trust: 0.8
db:CNNVDid:CNNVD-201506-437
Trust: 0.6
db:BIDid:75133
Trust: 0.4
db:VULHUBid:VHN-81917
Trust: 0.1
db:VULMONid:CVE-2015-3956
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81917 // 
            
            
            
            VULMON: CVE-2015-3956 // 
            
            
            
            BID: 75133 // 
            
            
            
            JVNDB: JVNDB-2015-008250 // 
            
            
            
            CNNVD: CNNVD-201506-437 // 
            
            
            
            NVD: CVE-2015-3956

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-161-01
Trust: 2.7
url:https://nvd.nist.gov/vuln/detail/cve-2015-3956
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3956
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/345.html
Trust: 0.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=39313
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-81917 // 
            
            
            
            VULMON: CVE-2015-3956 // 
            
            
            
            JVNDB: JVNDB-2015-008250 // 
            
            
            
            CNNVD: CNNVD-201506-437 // 
            
            
            
            NVD: CVE-2015-3956

CREDITS
Billy Rios
Trust: 0.9
sources:
            
            
            BID: 75133 // 
            
            
            
            CNNVD: CNNVD-201506-437

SOURCES
db:VULHUBid:VHN-81917
db:VULMONid:CVE-2015-3956
db:BIDid:75133
db:JVNDBid:JVNDB-2015-008250
db:CNNVDid:CNNVD-201506-437
db:NVDid:CVE-2015-3956

LAST UPDATE DATE
2024-11-23T21:37:35.709000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-81917date:2019-10-09T00:00:00
db:VULMONid:CVE-2015-3956date:2019-10-09T00:00:00
db:BIDid:75133date:2015-07-15T00:28:00
db:JVNDBid:JVNDB-2015-008250date:2019-05-10T00:00:00
db:CNNVDid:CNNVD-201506-437date:2019-04-08T00:00:00
db:NVDid:CVE-2015-3956date:2024-11-21T02:30:08.517

SOURCES RELEASE DATE
db:VULHUBid:VHN-81917date:2019-03-25T00:00:00
db:VULMONid:CVE-2015-3956date:2019-03-25T00:00:00
db:BIDid:75133date:2015-06-11T00:00:00
db:JVNDBid:JVNDB-2015-008250date:2019-05-10T00:00:00
db:CNNVDid:CNNVD-201506-437date:2015-06-24T00:00:00
db:NVDid:CVE-2015-3956date:2019-03-25T18:29:00.323