NVD Vulnerability Detail

CVE-2015-3459

Summary	The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.
Publication Date	April 30, 2015, 8:59 a.m.
Registration Date	Jan. 26, 2021, 2:49 p.m.
Last Update	Nov. 21, 2024, 11:29 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:hospira:lifecare_pcainfusion_firmware::::::::		5.0
cpe:2.3:h:hospira:lifecare_pca3:-:::::::*
cpe:2.3:h:hospira:lifecare_pca5:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://hextechsecurity.com/?p=123	Broken Link
2	http://hextechsecurity.com/?p=123	Broken Link
3	http://imgur.com/CEAnZjj	Not Applicable
4	http://imgur.com/CEAnZjj	Not Applicable
5	http://imgur.com/JHiWSqd	Not Applicable
6	http://imgur.com/JHiWSqd	Not Applicable
7	http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm	Third Party Advisory US Government Resource
8	http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm	Third Party Advisory US Government Resource
9	http://www.securityfocus.com/bid/74414	Third Party Advisory VDB Entry
10	http://www.securityfocus.com/bid/74414	Third Party Advisory VDB Entry
11	https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01	Third Party Advisory US Government Resource
12	https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01	Third Party Advisory US Government Resource
13	https://twitter.com/dyngnosis/status/592671049487142913	Press/Media Coverage
14	https://twitter.com/dyngnosis/status/592671049487142913	Press/Media Coverage
15	https://twitter.com/dyngnosis/status/592743461977219072	Press/Media Coverage
16	https://twitter.com/dyngnosis/status/592743461977219072	Press/Media Coverage

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

Hospira Lifecare PCA 輸液ポンプにおける root 権限を取得される脆弱性

Title	Hospira Lifecare PCA 輸液ポンプにおける root 権限を取得される脆弱性
Summary	Hospira Lifecare PCA 輸液ポンプは、Telnet セッションに認証を要求しないため、root 権限を取得される脆弱性が存在します。
Possible impacts	第三者により、TCP ポート 23 を介して、root 権限を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 27, 2015, midnight
Registration Date	May 1, 2015, 11:01 a.m.
Last Update	May 20, 2015, 5:46 p.m.

Affected System

ホスピーラ

LifeCare PCA Infusion System

LifeCare PCA Infusion System ファームウェア 412

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-3459	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3459
National Vulnerability Database (NVD)
2	CVE-2015-3459	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Hospira
1	LifeCare PCA Infusion System	http://www.hospira.com/en/products_and_services/infusion_pumps/Lifecare/

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-15-125-01	https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
関連文書
2	@SushiDude @XSSniper @scotterven @WIRED Hospira "Lifecare PCA Drug Infusion Pump"	https://twitter.com/dyngnosis/status/592743461977219072
3	Don't buy a Hospira PCA drug pump to do security stuff.	https://twitter.com/dyngnosis/status/592671049487142913
4	Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication	http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

Change Log

No	Changed Details	Date of change
0	[2015年05月01日] 掲載 [2015年05月11日] 参考情報：ICS-CERT ADVISORY (ICSA-15-125-01) を追加 [2015年05月20日] 　参考情報：関連文書 (Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication) を追加	Feb. 17, 2018, 10:37 a.m.