Vulnerabilites related to bd - alaris_8015_pcu_firmware
Vulnerability from fkie_nvd
Published
2023-07-13 20:15
Modified
2024-11-21 08:00
Severity ?
6.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@bd.com | https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bd | alaris_8015_pcu_firmware | * | |
| bd | alaris_8015_pcu | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "F594B01D-BC1A-46AE-9251-F4BBAE6178D5", versionEndIncluding: "12.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", matchCriteriaId: "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.", }, ], id: "CVE-2023-30561", lastModified: "2024-11-21T08:00:25.887", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.2, source: "cybersecurity@bd.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-13T20:15:09.013", references: [ { source: "cybersecurity@bd.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], sourceIdentifier: "cybersecurity@bd.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-311", }, ], source: "cybersecurity@bd.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-311", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-13 18:15
Modified
2024-11-21 08:00
Severity ?
5.2 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
5.7 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
5.7 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Summary
The firmware update package for the wireless card is not properly signed and can be modified.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bd | alaris_8015_pcu_firmware | * | |
| bd | alaris_8015_pcu | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "F594B01D-BC1A-46AE-9251-F4BBAE6178D5", versionEndIncluding: "12.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", matchCriteriaId: "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "The firmware update package for the wireless card is not properly signed and can be modified.", }, ], id: "CVE-2023-30559", lastModified: "2024-11-21T08:00:25.620", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 4.2, source: "cybersecurity@bd.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 4.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-13T18:15:09.293", references: [ { source: "cybersecurity@bd.com", tags: [ "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], sourceIdentifier: "cybersecurity@bd.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, { lang: "en", value: "CWE-345", }, ], source: "cybersecurity@bd.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-13 19:15
Modified
2024-11-21 08:00
Severity ?
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The configuration from the PCU can be modified without authentication using physical connection to the PCU.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bd | alaris_8015_pcu_firmware | * | |
| bd | alaris_8015_pcu | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "F594B01D-BC1A-46AE-9251-F4BBAE6178D5", versionEndIncluding: "12.1.3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", matchCriteriaId: "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "The configuration from the PCU can be modified without authentication using physical connection to the PCU. \n\n\n\n\n\n\n\n", }, ], id: "CVE-2023-30560", lastModified: "2024-11-21T08:00:25.753", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.9, source: "cybersecurity@bd.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-13T19:15:09.197", references: [ { source: "cybersecurity@bd.com", tags: [ "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], sourceIdentifier: "cybersecurity@bd.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "cybersecurity@bd.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-11-13 16:15
Modified
2024-11-21 05:17
Severity ?
Summary
BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bd | alaris_8015_pcu_firmware | * | |
| bd | alaris_8015_pcu | - | |
| bd | alaris_systems_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "9B3B2243-0B6E-46C4-8F55-C18179DE4A24", versionEndIncluding: "9.33.1", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", matchCriteriaId: "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:bd:alaris_systems_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "7E184AA1-0325-46A1-83F4-4299C71F9940", versionEndIncluding: "4.33", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.", }, { lang: "es", value: "BD Alaris PC Unit, Model 8015, versiones 9.33.1 y anteriores y BD Alaris Systems Manager, versiones 4.33 y anteriores Los productos afectados son susceptibles a una vulnerabilidad de autenticación de sesión de red dentro del proceso de autenticación entre versiones especificadas del BD Alaris PC Unit y del BD Alaris Systems Manager. Si es explotado, un atacante podría llevar a cabo un ataque de denegación de servicio en el BD Alaris PC Unit para modificar unos encabezados de configuración de los datos en tránsito. Un ataque de denegación de servicio podría conllevar a una perdida en la capacidad inalámbrica del BD Alaris PC Unit, resultando en el funcionamiento manual del PC Unit", }, ], id: "CVE-2020-25165", lastModified: "2024-11-21T05:17:31.443", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-11-13T16:15:18.027", references: [ { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "ics-cert@hq.dhs.gov", type: "Primary", }, ], }
cve-2023-30560
Vulnerability from cvelistv5
Published
2023-07-13 18:53
Modified
2024-10-31 17:33
Severity ?
EPSS score ?
Summary
The configuration from the PCU can be modified without authentication using physical connection to the PCU.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015 |
Version: 0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:28:51.941Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:h:becton_dickinson_and_co:bd_alarisa_point_of_care_unit_model_8015:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bd_alarisa_point_of_care_unit_model_8015", vendor: "becton_dickinson_and_co", versions: [ { status: "affected", version: "0", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-30560", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-31T17:29:20.439171Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-31T17:33:02.007Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015", vendor: "Becton Dickinson & Co ", versions: [ { lessThanOrEqual: "12.1.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], datePublic: "2023-07-13T18:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The configuration from the PCU can be modified without authentication using physical connection to the PCU. </p>\n\n\n\n\n\n", }, ], value: "The configuration from the PCU can be modified without authentication using physical connection to the PCU. \n\n\n\n\n\n\n\n", }, ], impacts: [ { capecId: "CAPEC-114", descriptions: [ { lang: "en", value: "CAPEC-114 Authentication Abuse", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-13T18:53:49.951Z", orgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", shortName: "BD", }, references: [ { url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], source: { discovery: "INTERNAL", }, title: " PCU Configuration Lacks Authentication", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", assignerShortName: "BD", cveId: "CVE-2023-30560", datePublished: "2023-07-13T18:53:49.951Z", dateReserved: "2023-04-12T16:30:07.536Z", dateUpdated: "2024-10-31T17:33:02.007Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25165
Vulnerability from cvelistv5
Published
2020-11-13 15:06
Modified
2024-08-04 15:26
Severity ?
EPSS score ?
Summary
BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.
References
| ▼ | URL | Tags |
|---|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | BD Alaris PC Unit and BD Alaris Systems Manager |
Version: BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:26:09.484Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "BD Alaris PC Unit and BD Alaris Systems Manager", vendor: "n/a", versions: [ { status: "affected", version: "BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier", }, ], }, ], descriptions: [ { lang: "en", value: "BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "IMPROPER AUTHENTICATION CWE-287", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-11-13T15:06:08", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", ID: "CVE-2020-25165", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "BD Alaris PC Unit and BD Alaris Systems Manager", version: { version_data: [ { version_value: "BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "IMPROPER AUTHENTICATION CWE-287", }, ], }, ], }, references: { reference_data: [ { name: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", refsource: "MISC", url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-317-01", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-25165", datePublished: "2020-11-13T15:06:08", dateReserved: "2020-09-04T00:00:00", dateUpdated: "2024-08-04T15:26:09.484Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-30561
Vulnerability from cvelistv5
Published
2023-07-13 19:03
Modified
2024-10-22 16:07
Severity ?
EPSS score ?
Summary
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015 |
Version: 0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:28:51.672Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-30561", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T15:49:18.852817Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T16:07:16.822Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015", vendor: "Becton Dickinson & Co", versions: [ { lessThanOrEqual: "12.1.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], datePublic: "2023-07-13T18:56:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.", }, ], value: "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.", }, ], impacts: [ { capecId: "CAPEC-390", descriptions: [ { lang: "en", value: "CAPEC-390 Bypassing Physical Security", }, ], }, { capecId: "CAPEC-94", descriptions: [ { lang: "en", value: "CAPEC-94 Man in the Middle Attack", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-311", description: "CWE-311 Missing Encryption of Sensitive Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-13T19:03:17.356Z", orgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", shortName: "BD", }, references: [ { url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], source: { discovery: "INTERNAL", }, title: "Lack of Cryptographic Security of IUI Bus ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", assignerShortName: "BD", cveId: "CVE-2023-30561", datePublished: "2023-07-13T19:03:17.356Z", dateReserved: "2023-04-12T16:30:07.537Z", dateUpdated: "2024-10-22T16:07:16.822Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-30559
Vulnerability from cvelistv5
Published
2023-07-13 17:50
Modified
2024-08-02 14:28
Severity ?
EPSS score ?
Summary
The firmware update package for the wireless card is not properly signed and can be modified.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alaris™ Point-of-Care Unit (PCU) Model 8015 |
Version: 0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:28:51.809Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "BD Alaris™ Point-of-Care Unit (PCU) Model 8015", vendor: "Becton Dickinson & Co ", versions: [ { lessThanOrEqual: "12.1.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], datePublic: "2023-07-13T14:59:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The firmware update package for the wireless card is not properly signed and can be modified.", }, ], value: "The firmware update package for the wireless card is not properly signed and can be modified.", }, ], impacts: [ { capecId: "CAPEC-638", descriptions: [ { lang: "en", value: "CAPEC-638 Altered Component Firmware", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "HIGH", baseScore: 5.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-345", description: "CWE-345 Insufficient Verification of Data Authenticity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-08T21:52:28.547Z", orgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", shortName: "BD", }, references: [ { url: "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", }, ], source: { discovery: "UNKNOWN", }, title: "Wireless Card Firmware Improperly Signed", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "2325d071-eabf-4b7b-a4ea-0819b6629a18", assignerShortName: "BD", cveId: "CVE-2023-30559", datePublished: "2023-07-13T17:50:13.176Z", dateReserved: "2023-04-12T16:30:07.536Z", dateUpdated: "2024-08-02T14:28:51.809Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }