cvelistv5 - CVE-2016-9355

CVE-2016-9355 (GCVE-0-2016-9355)

Vulnerability from cvelistv5 – Published: 2017-02-13 22:00 – Updated: 2024-08-06 02:50

Summary

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience.

Severity ?

No CVSS data available.

CWE

BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities

Assigner

icscert

References

URL

	Vendor	Product	Version
	n/a	BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities	Affected: BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities

FKIE_CVE-2016-9355

Vulnerability from fkie_nvd - Published: 2017-02-13 22:59 - Updated: 2025-04-20 01:37

Severity ?

5.3 (Medium) - CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/96116	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/96116	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02	Mitigation, Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	bd	alaris_8015_pc_unit	*
	bd	alaris_8015_pc_unit	9.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C65F8B2-E4A6-429B-BA5A-FD3FA2B7ABF3",
              "versionEndIncluding": "9.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A084F62-ED84-4DE0-BE57-6665FB7248B6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience."
    },
    {
      "lang": "es",
      "value": "Ha sido descubierto un problema en la unidad de Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC), versi\u00f3n 9.5 y versiones anteriores, y en la versi\u00f3n 9.7. Un usuario no autorizado con acceso f\u00edsico a una unidad de PC Alaris 8015 puede ser capaz de obtener credenciales de autenticaci\u00f3n de red inal\u00e1mbrica sin cifrar y otros datos t\u00e9cnicos sensibles mediante el desmontaje de una unidad de PC Alaris 8015 y accediendo a la memoria flash del dispositivo. Las versiones de software m\u00e1s antiguas de la unidad Alaris 8015 PC versi\u00f3n 9.5 y versiones anteriores almacenan credenciales de autenticaci\u00f3n de red inal\u00e1mbrica y otros datos t\u00e9cnicos sensibles en la memoria flash extra\u00edble del dispositivo afectado. Ser capaz de eliminar la memoria flash del dispositivo afectado reduce el riesgo de detecci\u00f3n, permitiendo a un atacante extraer los datos almacenados a conveniencia del atacante."
    }
  ],
  "id": "CVE-2016-9355",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-02-13T22:59:00.240",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/96116"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/96116"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-255"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ICSMA-17-017-02

Vulnerability from csaf_cisa - Published: 2017-01-17 00:00 - Updated: 2021-03-16 00:00

Summary

BD Alaris 8015 PC Unit (Update B)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an unauthorized user with physical access to the affected devices to access the host facility 's wireless network authentication credentials and other sensitive technical data, which may compromise the confidentiality, integrity, and availability of the device.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Dan Regalado",
          "Asher Davila Loranca",
          "Ryan Dion"
        ],
        "organization": "Palo Alto",
        "summary": "reporting these vulnerabilities to BD"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an unauthorized user with physical access to the affected devices to access the host facility \u0027s wireless network authentication credentials and other sensitive technical data, which may compromise the confidentiality, integrity, and availability of the device.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-017-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-017-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-017-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "BD Alaris 8015 PC Unit (Update B)",
    "tracking": {
      "current_release_date": "2021-03-16T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-17-017-02",
      "initial_release_date": "2017-01-17T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-01-17T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-17-017-02P BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities"
        },
        {
          "date": "2017-02-07T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSMA-17-017-02 BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities (Update A)"
        },
        {
          "date": "2017-10-19T00:00:00.000000Z",
          "legacy_version": "B",
          "number": "3",
          "summary": "ICSMA-17-017-02A BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities (Update B)"
        },
        {
          "date": "2021-03-16T00:00:00.000000Z",
          "legacy_version": "C",
          "number": "4",
          "summary": "ICSMA-17-017-02 BD Alaris 8015 PC Unit (Update C)"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9.7",
                "product": {
                  "name": "Alaris 8015 PC unit: Version 9.7",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.33",
                "product": {
                  "name": "Alaris 8015 PC unit: Versions 9.33 and prior",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.5",
                "product": {
                  "name": "Alaris 8015 PC unit: Version 9.5 and prior versions",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Alaris 8015 PC unit"
          }
        ],
        "category": "vendor",
        "name": "Becton, Dickinson and Company (BD)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-8375",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by removing the external Wi-Fi card from an Alaris 8015 PC unit and connecting a pre-programmed malicious CF (CompactFlash) card to perform the attack.CVE-2016-8375 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8375"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "BD has not developed a product fix to address these vulnerabilities, but has issued compensating controls to reduce the risk of exploitation.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "All Alaris System software versions less than 9.19 are end of life. BD recommends users upgrade Alaris System software when BD releases its next version of software, upon 510(k) clearance.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD recommends that users apply the following compensating controls:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD has released a security bulletin for the Alaris PC unit model 8015.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-alaris-pc-unit-model-8015-update"
        },
        {
          "category": "vendor_fix",
          "details": "For additional information about the identified vulnerabilities or BD \u0027s compensating controls, please contact BD \u0027s Customer Support.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2016-9355",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthorized user with physical access to an Alaris 8015 PC unit may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory. Physical access to the CF card allows an attacker to overwrite application and internal data (logs, drug library, etc.). Older software versions of the Alaris 8015 PC unit (Version 9.5 and prior) store wireless network authentication credentials and other sensitive technical data on the affected device \u0027s removable flash memory. It is not difficult to obtain this data, but very difficult to interpret and change it to create an exploit that is progressive. In addition, the proprietary nature of the stored data format makes it unlikely modification of the CF card would go undetected.CVE-2016-9355 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9355"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "BD has not developed a product fix to address these vulnerabilities, but has issued compensating controls to reduce the risk of exploitation.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "All Alaris System software versions less than 9.19 are end of life. BD recommends users upgrade Alaris System software when BD releases its next version of software, upon 510(k) clearance.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD recommends that users apply the following compensating controls:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "BD has released a security bulletin for the Alaris PC unit model 8015.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-alaris-pc-unit-model-8015-update"
        },
        {
          "category": "vendor_fix",
          "details": "For additional information about the identified vulnerabilities or BD \u0027s compensating controls, please contact BD \u0027s Customer Support.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://www.bd.com/en-us/support/product-security-and-privacy"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

VAR-201702-0856

Vulnerability from variot - Updated: 2023-12-18 12:51

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201702-0856",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "bd",
        "version": "9.7"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "bd",
        "version": "9.5"
      },
      {
        "model": "alaris pc unit",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "bd",
        "version": "80159.5"
      },
      {
        "model": "alaris pc unit",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "bd",
        "version": "80159.4"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "becton dickinson and bd",
        "version": "9.5"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "becton dickinson and bd",
        "version": "9.7"
      },
      {
        "model": "alaris 8015 pc unit",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "bd",
        "version": "9.5"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "alaris 8015 pc unit",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "alaris 8015 pc unit",
        "version": "9.7"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Dickinson and Company (BD),Becton",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2016-9355",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 2.1,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2016-9355",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 4.9,
            "id": "CNVD-2017-01600",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 4.9,
            "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.9,
            "impactScore": 4.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Physical",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2016-9355",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-9355",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-01600",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201702-382",
            "trust": 0.6,
            "value": "LOW"
          },
          {
            "author": "IVD",
            "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62",
            "trust": 0.2,
            "value": "LOW"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience. The Alaris 8015 PC unit is the heart of the Alaris System, a US company\u0027s BD that provides a user-common interface for programming intravenous infusions. An information disclosure vulnerability exists in the Alaris 8015 PC unit. Attackers can exploit vulnerabilities to obtain sensitive information and launch further attacks",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-9355",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-017-02",
        "trust": 2.5
      },
      {
        "db": "BID",
        "id": "96116",
        "trust": 1.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382",
        "trust": 0.8
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-017-02A",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "4F54F6B1-67A9-4779-969F-14D9021C9A62",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "id": "VAR-201702-0856",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      }
    ],
    "trust": 1.55
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:51:24.613000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Alaris PC unit",
        "trust": 0.8,
        "url": "http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-255",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.9,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-017-02"
      },
      {
        "trust": 1.6,
        "url": "http://www.securityfocus.com/bid/96116"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9355"
      },
      {
        "trust": 0.8,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-017-02a"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-9355"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsma-17-017-02"
      },
      {
        "trust": 0.3,
        "url": "http://www.carefusion.com/our-products/infusion/infusion-system-devices/alaris-pc-unit"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-02-20T00:00:00",
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "date": "2017-02-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "date": "2017-02-07T00:00:00",
        "db": "BID",
        "id": "96116"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "date": "2017-02-13T22:59:00.240000",
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "date": "2017-02-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-02-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      },
      {
        "date": "2017-03-07T04:01:00",
        "db": "BID",
        "id": "96116"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008012"
      },
      {
        "date": "2017-03-16T17:08:35.180000",
        "db": "NVD",
        "id": "CVE-2016-9355"
      },
      {
        "date": "2021-03-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "96116"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Alaris 8015 PC unit Information Disclosure Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "4f54f6b1-67a9-4779-969f-14d9021c9a62"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-01600"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201702-382"
      }
    ],
    "trust": 0.6
  }
}

GSD-2016-9355

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-9355

Aliases

CVE-2016-9355

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-9355",
    "description": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience.",
    "id": "GSD-2016-9355"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-9355"
      ],
      "details": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience.",
      "id": "GSD-2016-9355",
      "modified": "2023-12-13T01:21:22.007204Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2016-9355",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "96116",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/96116"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-9355"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-255"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
            },
            {
              "name": "96116",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/96116"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 0.9,
          "impactScore": 4.0
        }
      },
      "lastModifiedDate": "2017-03-16T17:08Z",
      "publishedDate": "2017-02-13T22:59Z"
    }
  }
}

CNVD-2017-01600

Vulnerability from cnvd - Published: 2017-02-20

Title

Alaris 8015 PC unit信息泄露漏洞

Description

Alaris 8015 PC unit是美国公司BD的的一款为编程静脉输注提供用户公用接口的 Alaris System系统的核心。 Alaris 8015 PC unit存在信息泄露漏洞。攻击者可利用漏洞获取敏感信息，发动进一步的攻击。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： http://www.carefusion.com/customer-support/alerts-and-notices/product-security-bulletin-for-alaris-pc-unit-model-8015

Reference

http://www.securityfocus.com/bid/96116 https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02

Impacted products

Name
['BD Alaris 8015 PC unit 9.5', 'BD Alaris 8015 PC unit 9.4']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "96116"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9355",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9355"
    }
  },
  "description": "Alaris 8015 PC unit\u662f\u7f8e\u56fd\u516c\u53f8BD\u7684\u7684\u4e00\u6b3e\u4e3a\u7f16\u7a0b\u9759\u8109\u8f93\u6ce8\u63d0\u4f9b\u7528\u6237\u516c\u7528\u63a5\u53e3\u7684 Alaris System\u7cfb\u7edf\u7684\u6838\u5fc3\u3002\r\n\r\nAlaris 8015 PC unit\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u53d1\u52a8\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002",
  "discovererName": "Becton, Dickinson and Company (BD)",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttp://www.carefusion.com/customer-support/alerts-and-notices/product-security-bulletin-for-alaris-pc-unit-model-8015",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-01600",
  "openTime": "2017-02-20",
  "products": {
    "product": [
      "BD Alaris 8015 PC unit 9.5",
      "BD Alaris 8015 PC unit 9.4"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/96116\r\nhttps://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02",
  "serverity": "\u4e2d",
  "submitTime": "2017-02-10",
  "title": "Alaris 8015 PC unit\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-4MQ5-8PPX-R669

Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2022-05-17 02:55

Details

Severity ?

5.3 (Medium)


                  
                    CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-9355"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-13T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device\u0027s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device\u0027s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker\u0027s convenience.",
  "id": "GHSA-4mq5-8ppx-r669",
  "modified": "2022-05-17T02:55:06Z",
  "published": "2022-05-17T02:55:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9355"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96116"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-9355 (GCVE-0-2016-9355)

FKIE_CVE-2016-9355

ICSMA-17-017-02

VAR-201702-0856

GSD-2016-9355

CNVD-2017-01600

GHSA-4MQ5-8PPX-R669

Tags

Sightings

Nomenclature