CVE-2015-3954

EUVD-2015-3985

25.03.2019, 17:29

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Affected Products (NVD)

Vendor	Product	Version
pifzer	plum_a\+_infusion_system_firmware	𝑥 ≤ 13.4
pifzer	plum_a\+3_infusion_system_firmware	𝑥 ≤ 13.6
pifzer	symbiq_infusion_system_firmware	𝑥 ≤ 3.13

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01