github - ghsa-vxf4-qh89-w2r6

GHSA-VXF4-QH89-W2R6

Vulnerability from github – Published: 2022-05-17 04:11 – Updated: 2025-11-03 21:30

Details

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-5406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-07-06T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.  NOTE: this issue might overlap CVE-2015-3459.",
  "id": "GHSA-vxf4-qh89-w2r6",
  "modified": "2025-11-03T21:30:29Z",
  "published": "2022-05-17T04:11:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01"
    },
    {
      "type": "WEB",
      "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2014-5406 (GCVE-0-2014-5406)

Vulnerability from cvelistv5 – Published: 2015-07-06 19:10 – Updated: 2025-11-03 18:34

Summary

Severity ?

No CVSS data available.

CWE

CWE-345

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	http://www.fda.gov/MedicalDevices/Safety/Alertsan…	x_refsource_MISC
	https://xs-sniper.com/blog/2015/06/08/hospira-plu…	x_refsource_MISC
	https://github.com/cisagov/CSAF/blob/develop/csaf…

Impacted products

	Vendor	Product	Version
	Hospira	LifeCare PCA Infusion System	Affected: 0 , ≤ 5.0 (custom) Unaffected: 7.0

Credits

Billy Rios

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.223Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LifeCare PCA Infusion System",
          "vendor": "Hospira",
          "versions": [
            {
              "lessThanOrEqual": "5.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "7.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Billy Rios"
        }
      ],
      "datePublic": "2015-05-05T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.  NOTE: this issue might overlap CVE-2015-3459.\u003c/p\u003e"
            }
          ],
          "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.  NOTE: this issue might overlap CVE-2015-3459."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.6,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-03T18:34:36.324Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eICS-CERT has been working with Hospira since May 2014 to address the \nvulnerabilities in the LifeCare PCA Infusion System. Hospira has \ndeveloped a new version of the PCS Infusion System, Version 7.0 that \naddresses the identified vulnerabilities. According to Hospira, \nVersion 7.0 has Port 20/FTP and Port 23/TELNET closed by default to \nprevent unauthorized access. Existing PCA Infusion Systems running \nVersion 5.0 can be upgraded to Version 7.0 when it becomes available. \nHospira\u2019s Version 7.0 is being reviewed by the FDA prior to its release.\n The release date for Version 7.0 of the LifeCare PCA Infusion System \nhas not been determined.\u003c/p\u003e\n\u003cp\u003eFor additional information about Hospira\u2019s new release, contact Hospira\u2019s technical support at 1\u2011800-241-4002.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "ICS-CERT has been working with Hospira since May 2014 to address the \nvulnerabilities in the LifeCare PCA Infusion System. Hospira has \ndeveloped a new version of the PCS Infusion System, Version 7.0 that \naddresses the identified vulnerabilities. According to Hospira, \nVersion 7.0 has Port 20/FTP and Port 23/TELNET closed by default to \nprevent unauthorized access. Existing PCA Infusion Systems running \nVersion 5.0 can be upgraded to Version 7.0 when it becomes available. \nHospira\u2019s Version 7.0 is being reviewed by the FDA prior to its release.\n The release date for Version 7.0 of the LifeCare PCA Infusion System \nhas not been determined.\n\n\nFor additional information about Hospira\u2019s new release, contact Hospira\u2019s technical support at 1\u2011800-241-4002."
        }
      ],
      "source": {
        "advisory": "ICSA-15-125-01",
        "discovery": "EXTERNAL"
      },
      "title": "Hospira LifeCare PCA Infusion System",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5406",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.  NOTE: this issue might overlap CVE-2015-3459."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
            },
            {
              "name": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm",
              "refsource": "MISC",
              "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"
            },
            {
              "name": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/",
              "refsource": "MISC",
              "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5406",
    "datePublished": "2015-07-06T19:10:00",
    "dateReserved": "2014-08-22T00:00:00",
    "dateUpdated": "2025-11-03T18:34:36.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-VXF4-QH89-W2R6

CVE-2014-5406 (GCVE-0-2014-5406)

Tags

Sightings

Nomenclature