CVE-2014-5406
published 2015-07-06CVE-2014-5406: The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3)…
PriorityP342critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
1.24%
65.5th percentile
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hospira | lifecare_pca_infusion_system | <= 5.0 | — |
| hospira | lifecare_pcainfusion_firmware | <= 5.0 | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Hospira LifeCare PCA Infusion System Vulnerabilities
cisa_ics·2018-08-23
Hospira LifeCare PCA Infusion System Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hospira LifeCare PCA Infusion System Vulnerabilities
Last RevisedAugust 23, 2018
Alert CodeICSA-15-125-01
## OVERVIEW
Independent researcher Billy Rios has identified an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System, which NCCIC/ICS-CERT has been coordinating with Hospira since May 2014. This advisory is being issued to provide notice of public disclosures of the identified vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version that mitigates the
CISA ICS
Hospira LifeCare PCA Infusion System Vulnerabilities (Update B)
cisa_ics·2015-05-13
Hospira LifeCare PCA Infusion System Vulnerabilities (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hospira LifeCare PCA Infusion System Vulnerabilities (Update B)
Last RevisedAugust 23, 2018
Alert CodeICSA-15-125-01B
## OVERVIEW
This updated advisory is a follow-up to the updated advisory titled ICSA-15-125-01A Hospira LifeCare PCA Infusion System Vulnerabilities that was published May 13, 2015, on the NCCIC/ICS-CERT web site.
## --------- Begin Update B Part 1 of 9 --------
Independent researcher Billy Rios has identified vulnerabilities in Hospira’s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira since May 2014. Kyle Kamke of Ramparts, LLC
CISA ICS
Hospira LifeCare PCA Infusion System Vulnerabilities (Update A)
cisa_ics·2015-05-05
Hospira LifeCare PCA Infusion System Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hospira LifeCare PCA Infusion System Vulnerabilities (Update A)
Last RevisedAugust 23, 2018
Alert CodeICSA-15-125-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-15-125-01 Hospira LifeCare PCA Infusion System Vulnerabilities that was published May 5, 2015, on the NCCIC/ICS-CERT web site.
Independent researcher Billy Rios has identified an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira sin
GHSA
GHSA-vxf4-qh89-w2r6: The Hospira LifeCare PCA Infusion System before 7
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-5406 [CRITICAL] CWE-345 GHSA-vxf4-qh89-w2r6: The Hospira LifeCare PCA Infusion System before 7
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.jsonhttps://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htmhttps://ics-cert.us-cert.gov/advisories/ICSA-15-125-01https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/
2015-07-06
Published