cvelistv5 - CVE-2016-8375

CVE-2016-8375 (GCVE-0-2016-8375)

Vulnerability from cvelistv5 – Published: 2017-02-13 22:00 – Updated: 2024-08-06 02:20

Summary

Severity ?

No CVSS data available.

CWE

BD Alaris 8000/8015 Insufficiently Protected Credentials Vulnerabilities

Assigner

icscert

References

URL

	Vendor	Product	Version
	n/a	BD Alaris 8015 through 9.7 and 8000	Affected: BD Alaris 8015 through 9.7 and 8000

ICSMA-17-017-02

Vulnerability from csaf_cisa - Published: 2017-01-17 00:00 - Updated: 2021-03-16 00:00

Summary

BD Alaris 8015 PC Unit (Update B)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an unauthorized user with physical access to the affected devices to access the host facility 's wireless network authentication credentials and other sensitive technical data, which may compromise the confidentiality, integrity, and availability of the device.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Dan Regalado",
          "Asher Davila Loranca",
          "Ryan Dion"
        ],
        "organization": "Palo Alto",
        "summary": "reporting these vulnerabilities to BD"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an unauthorized user with physical access to the affected devices to access the host facility \u0027s wireless network authentication credentials and other sensitive technical data, which may compromise the confidentiality, integrity, and availability of the device.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-017-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-017-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "BD Alaris 8015 PC Unit (Update B)",
    "tracking": {
      "current_release_date": "2021-03-16T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-17-017-02",
      "initial_release_date": "2017-01-17T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-01-17T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-17-017-02P BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities"
        },
        {
          "date": "2017-02-07T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSMA-17-017-02 BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities (Update A)"
        },
        {
          "date": "2017-10-19T00:00:00.000000Z",
          "legacy_version": "B",
          "number": "3",
          "summary": "ICSMA-17-017-02A BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities (Update B)"
        },
        {
          "date": "2021-03-16T00:00:00.000000Z",
          "legacy_version": "C",
          "number": "4",
          "summary": "ICSMA-17-017-02 BD Alaris 8015 PC Unit (Update C)"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9.7",
                "product": {
                  "name": "Alaris 8015 PC unit: Version 9.7",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.33",
                "product": {
                  "name": "Alaris 8015 PC unit: Versions 9.33 and prior",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.5",
                "product": {
                  "name": "Alaris 8015 PC unit: Version 9.5 and prior versions",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          }
        ],
        "category": "vendor",
        "name": "Becton, Dickinson and Company (BD)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-8375",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by removing the external Wi-Fi card from an Alaris 8015 PC unit and connecting a pre-programmed malicious CF (CompactFlash) card to perform the attack.CVE-2016-8375 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8375"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "BD has not developed a product fix to address these vulnerabilities, but has issued compensating controls to reduce the risk of exploitation.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "All Alaris System software versions less than 9.19 are end of life. BD recommends users upgrade Alaris System software when BD releases its next version of software, upon 510(k) clearance.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD recommends that users apply the following compensating controls:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD has released a security bulletin for the Alaris PC unit model 8015.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-alaris-pc-unit-model-8015-update"
        },
        {
          "category": "vendor_fix",
          "details": "For additional information about the identified vulnerabilities or BD \u0027s compensating controls, please contact BD \u0027s Customer Support.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2016-9355",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthorized user with physical access to an Alaris 8015 PC unit may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory. Physical access to the CF card allows an attacker to overwrite application and internal data (logs, drug library, etc.). Older software versions of the Alaris 8015 PC unit (Version 9.5 and prior) store wireless network authentication credentials and other sensitive technical data on the affected device \u0027s removable flash memory. It is not difficult to obtain this data, but very difficult to interpret and change it to create an exploit that is progressive. In addition, the proprietary nature of the stored data format makes it unlikely modification of the CF card would go undetected.CVE-2016-9355 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9355"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "BD has not developed a product fix to address these vulnerabilities, but has issued compensating controls to reduce the risk of exploitation.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "All Alaris System software versions less than 9.19 are end of life. BD recommends users upgrade Alaris System software when BD releases its next version of software, upon 510(k) clearance.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD recommends that users apply the following compensating controls:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD has released a security bulletin for the Alaris PC unit model 8015.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-alaris-pc-unit-model-8015-update"
        },
        {
          "category": "vendor_fix",
          "details": "For additional information about the identified vulnerabilities or BD \u0027s compensating controls, please contact BD \u0027s Customer Support.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

ICSMA-17-017-01

Vulnerability from csaf_cisa - Published: 2017-01-17 00:00 - Updated: 2017-02-07 00:00

Summary

ICSMA-17-017-01_BD Alaris 8000 Insufficiently Protected Credentials Vulnerability

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-017-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-017-01"
      }
    ],
    "title": "ICSMA-17-017-01_BD Alaris 8000 Insufficiently Protected Credentials Vulnerability",
    "tracking": {
      "current_release_date": "2017-02-07T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSMA-17-017-01",
      "initial_release_date": "2017-01-17T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-01-17T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-17-017-01P BD Alaris 8000 Insufficiently Protected Credentials Vulnerability"
        },
        {
          "date": "2017-02-07T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSMA-17-017-01 BD Alaris 8000 Insufficiently Protected Credentials Vulnerability (Update A)"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": "Alaris 8000 PC unit: all versions",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8000 PC unit"
          }
        ],
        "category": "vendor",
        "name": "Becton, Dickinson and Company (BD)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-8375",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthorized user with physical access to an Alaris 8000 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8000 PC unit and accessing the device \u0027s flash memory. The Alaris 8000 PC unit stores wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "BD has released a security bulletin for the Alaris PC unit (PCU) model 8000, which is available at the following location:",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "CVE-2016-8375"
    }
  ]
}

GSD-2016-8375

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-8375

Aliases

CVE-2016-8375

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-8375",
    "description": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.",
    "id": "GSD-2016-8375"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-8375"
      ],
      "details": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.",
      "id": "GSD-2016-8375",
      "modified": "2023-12-13T01:21:22.752181Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2016-8375",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BD Alaris 8015 through 9.7 and 8000",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "BD Alaris 8015 through 9.7 and 8000"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "BD Alaris 8000/8015 Insufficiently Protected Credentials Vulnerabilities"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01"
          },
          {
            "name": "96113",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/96113"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-8375"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-255"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01"
            },
            {
              "name": "96113",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/96113"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 0.5,
          "impactScore": 4.0
        }
      },
      "lastModifiedDate": "2017-03-16T17:25Z",
      "publishedDate": "2017-02-13T22:59Z"
    }
  }
}

VAR-201702-0080

Vulnerability from variot - Updated: 2023-12-18 12:51

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. The Alaris 8000 and 8015 PC units are at the heart of the BD Alaris system in the United States, providing a common user interface for programming intravenous fluids. An information disclosure vulnerability exists in Alaris 8000 and 8015 PC units. Attackers can exploit vulnerabilities to obtain sensitive information, leading to further attacks

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201702-0080",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "bd",
        "version": "9.7"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "bd",
        "version": "9.5"
      },
      {
        "model": "alaris pc unit",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "bd",
        "version": "80159.7"
      },
      {
        "model": "alaris pc unit",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "bd",
        "version": "80000"
      },
      {
        "model": "alaris 8000 pc unit",
        "scope": null,
        "trust": 0.8,
        "vendor": "becton dickinson and bd",
        "version": null
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "becton dickinson and bd",
        "version": "9.5"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "becton dickinson and bd",
        "version": "9.7"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "bd",
        "version": "9.5"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "alaris 8015 pc unit",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "alaris 8015 pc unit",
        "version": "9.7"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Dickinson and Company (BD),Becton",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2016-8375",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.4,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 1.9,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2016-8375",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 4.9,
            "id": "CNVD-2017-01601",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 4.9,
            "id": "4251f10a-2a51-4ee5-942d-63053efab9f2",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.5,
            "impactScore": 4.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Physical",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.9,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2016-8375",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-8375",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-01601",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201702-385",
            "trust": 0.6,
            "value": "LOW"
          },
          {
            "author": "IVD",
            "id": "4251f10a-2a51-4ee5-942d-63053efab9f2",
            "trust": 0.2,
            "value": "LOW"
          },
          {
            "author": "VULMON",
            "id": "CVE-2016-8375",
            "trust": 0.1,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. The Alaris 8000 and 8015 PC units are at the heart of the BD Alaris system in the United States, providing a common user interface for programming intravenous fluids. An information disclosure vulnerability exists in Alaris 8000 and 8015 PC units. Attackers can exploit vulnerabilities to obtain sensitive information, leading to further attacks",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375"
      }
    ],
    "trust": 2.7
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-8375",
        "trust": 3.6
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-017-01",
        "trust": 2.2
      },
      {
        "db": "BID",
        "id": "96113",
        "trust": 2.0
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-017-02",
        "trust": 2.0
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385",
        "trust": 0.8
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-017-02A",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "4251F10A-2A51-4EE5-942D-63053EFAB9F2",
        "trust": 0.2
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "id": "VAR-201702-0080",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      }
    ],
    "trust": 1.55
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:51:24.576000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Alaris PC unit",
        "trust": 0.8,
        "url": "http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-255",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.3,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-017-01"
      },
      {
        "trust": 1.8,
        "url": "http://www.securityfocus.com/bid/96113"
      },
      {
        "trust": 1.4,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-017-02"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8375"
      },
      {
        "trust": 0.8,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-017-02a"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-8375"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02"
      },
      {
        "trust": 0.3,
        "url": "http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/255.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-02-20T00:00:00",
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "date": "2017-02-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "date": "2017-02-13T00:00:00",
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "date": "2017-02-07T00:00:00",
        "db": "BID",
        "id": "96113"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "date": "2017-02-13T22:59:00.210000",
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "date": "2017-02-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-02-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      },
      {
        "date": "2017-03-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2016-8375"
      },
      {
        "date": "2017-03-07T03:02:00",
        "db": "BID",
        "id": "96113"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008011"
      },
      {
        "date": "2017-03-16T17:25:57.367000",
        "db": "NVD",
        "id": "CVE-2016-8375"
      },
      {
        "date": "2021-03-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "96113"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Alaris 8000/8015 PC units Information Disclosure Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "4251f10a-2a51-4ee5-942d-63053efab9f2"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01601"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-385"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2017-01601

Vulnerability from cnvd - Published: 2017-02-20

Title

Alaris 8000/8015 PC units信息泄露漏洞

Description

Alaris 8000和8015 PC unit都是美国BD公司的Alaris系统的核心，为编程静脉输液提供了通用的用户界面。 Alaris 8000和8015 PC units存在信息泄露漏洞。攻击者可利用漏洞获取敏感信息，导致进一步攻击。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01

Reference

http://www.securityfocus.com/bid/96113

Impacted products

Name
['BD Alaris 8015 PC unit 9.7', 'BD Alaris 8000 PC unit 0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "96113"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8375",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8375"
    }
  },
  "description": "Alaris 8000\u548c8015 PC unit\u90fd\u662f\u7f8e\u56fdBD\u516c\u53f8\u7684Alaris\u7cfb\u7edf\u7684\u6838\u5fc3\uff0c\u4e3a\u7f16\u7a0b\u9759\u8109\u8f93\u6db2\u63d0\u4f9b\u4e86\u901a\u7528\u7684\u7528\u6237\u754c\u9762\u3002\r\n\r\nAlaris 8000\u548c8015 PC units\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u5bfc\u81f4\u8fdb\u4e00\u6b65\u653b\u51fb\u3002",
  "discovererName": "Becton, Dickinson and Company (BD)",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-01601",
  "openTime": "2017-02-20",
  "products": {
    "product": [
      "BD Alaris 8015 PC unit 9.7",
      "BD Alaris 8000 PC unit 0"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/96113",
  "serverity": "\u4e2d",
  "submitTime": "2017-02-10",
  "title": "Alaris 8000/8015 PC units\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-3GHH-4P87-43PM

Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2022-05-17 02:55

Details

Severity ?

4.9 (Medium)


                  
                    CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-8375"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-13T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.",
  "id": "GHSA-3ghh-4p87-43pm",
  "modified": "2022-05-17T02:55:06Z",
  "published": "2022-05-17T02:55:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8375"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2016-8375

Vulnerability from fkie_nvd - Published: 2017-02-13 22:59 - Updated: 2025-04-20 01:37

Severity ?

4.9 (Medium) - CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/96113	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01	Mitigation, Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/96113	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02	Mitigation, Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	bd	alaris_8015_pc_unit	*
	bd	alaris_8015_pc_unit	9.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C65F8B2-E4A6-429B-BA5A-FD3FA2B7ABF3",
              "versionEndIncluding": "9.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A084F62-ED84-4DE0-BE57-6665FB7248B6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device\u0027s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection."
    },
    {
      "lang": "es",
      "value": "Ha sido descubierto un problema en la unidad Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC), versi\u00f3n 9.5 y versiones anteriores, y en la versi\u00f3n 9.7 y unidad de PC 8000. Un usuario no autorizado con acceso f\u00edsico a una unidad de Alaris PC afectada puede obtener credenciales de autenticaci\u00f3n de red inal\u00e1mbrica sin cifrar y otros datos t\u00e9cnicos confidenciales al desmontar la unidad de PC y acceder a la memoria flash del dispositivo. La unidad PC Alaris 8015, Versi\u00f3n 9.7 y la unidad PC 8000 almacenan credenciales de autenticaci\u00f3n de redes inal\u00e1mbricas y otros datos t\u00e9cnicos sensibles en la memoria flash interna. El acceso a la memoria flash interna del dispositivo afectado requerir\u00eda herramientas especiales para extraer datos y llevar a cabo este ataque en una instalaci\u00f3n sanitaria aumentar\u00eda la probabilidad de detecci\u00f3n."
    }
  ],
  "id": "CVE-2016-8375",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 1.9,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-02-13T22:59:00.210",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/96113"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/96113"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-255"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-8375 (GCVE-0-2016-8375)

ICSMA-17-017-02

ICSMA-17-017-01

GSD-2016-8375

VAR-201702-0080

CNVD-2017-01601

GHSA-3GHH-4P87-43PM

FKIE_CVE-2016-8375

Tags

Sightings

Nomenclature