CVE-2014-5406
N/A
N/A
Summary
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Hospira | LifeCare PCA Infusion System | 0 <= 5.0 | affected |
| Hospira | LifeCare PCA Infusion System | 7.0 | unaffected |
Weaknesses
- CWE-345: CWE-345
ADP Enrichment
CVE Program Container
Additional References
- https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
- https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01
- http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
- https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.