cbcvebase.
CVE-2017-12718
published 2018-02-15

CVE-2017-12718: A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. A third-party…

PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
13.02%
95.8th percentile
A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. A third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation.

Affected

3 ranges
VendorProductVersion rangeFixed in
smiths-medicalmedfusion_4000_wireless_syringe_infusion_pump
smiths-medicalmedfusion_4000_wireless_syringe_infusion_pump
smiths-medicalmedfusion_4000_wireless_syringe_infusion_pump

Detection & IOCsextracted from sources · hover to see the quote

bytes
02 01 06 00 a5 d3 0b 2f 00 00 80 00 ... 63 82 53 63 35 01 02 36 04 ff ff ff ff 01 04 ff ff ff 00 43 98 00 ...
  • Detect oversized DHCP option 67 (vendor class / bootfile) payloads: the exploit uses DHCP option 0x43 (decimal 67) with a declared length of 0x98 (152 bytes) filled with NULLs to overflow the RTCS DHCP client buffer.
  • The exploit overwrites a function pointer at offset 0x195–0x198 within the crafted DHCP OFFER packet; monitor for DHCP OFFER packets (op=0x02, message-type option 0x35=0x02) with payloads exceeding normal option lengths.
  • The DHCP magic cookie bytes 63 82 53 63 followed immediately by option 35 01 02 (DHCP OFFER) and option 36 04 ff ff ff ff (server identifier all-0xFF) is a strong indicator of the exploit packet.
  • The exploit listens on UDP port 67 (DHCP server) to capture legitimate DHCP DISCOVER/REQUEST packets and mirrors the transaction ID before sending the malicious OFFER on UDP port 68; anomalous DHCP server traffic originating from non-authoritative hosts on the local network segment is a key detection signal.
  • ·The exploit requires the attacker to be on the same network segment as the target (private network) and must race to respond to a legitimate DHCP request before the real server; exploitation is therefore network-position-dependent and infrequent.
  • ·The pump receives the potentially malicious input infrequently and under certain conditions, which increases exploitation difficulty and may reduce detection opportunity windows.
  • ·The function pointer overwrite offset (0x195–0x198) is specific to the MQX RTCS build used in the PoC; actual offset may differ across MQX versions and target architectures (ColdFire, Kinetis, i.MX, Vybrid).

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.