CVE-2017-12718
published 2018-02-15CVE-2017-12718: A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. A third-party…
PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
13.02%
95.8th percentile
A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. A third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smiths-medical | medfusion_4000_wireless_syringe_infusion_pump | — | — |
| smiths-medical | medfusion_4000_wireless_syringe_infusion_pump | — | — |
| smiths-medical | medfusion_4000_wireless_syringe_infusion_pump | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
02 01 06 00 a5 d3 0b 2f 00 00 80 00 ... 63 82 53 63 35 01 02 36 04 ff ff ff ff 01 04 ff ff ff 00 43 98 00 ...
- →Detect oversized DHCP option 67 (vendor class / bootfile) payloads: the exploit uses DHCP option 0x43 (decimal 67) with a declared length of 0x98 (152 bytes) filled with NULLs to overflow the RTCS DHCP client buffer. ↗
- →The exploit overwrites a function pointer at offset 0x195–0x198 within the crafted DHCP OFFER packet; monitor for DHCP OFFER packets (op=0x02, message-type option 0x35=0x02) with payloads exceeding normal option lengths. ↗
- →The DHCP magic cookie bytes 63 82 53 63 followed immediately by option 35 01 02 (DHCP OFFER) and option 36 04 ff ff ff ff (server identifier all-0xFF) is a strong indicator of the exploit packet. ↗
- →The exploit listens on UDP port 67 (DHCP server) to capture legitimate DHCP DISCOVER/REQUEST packets and mirrors the transaction ID before sending the malicious OFFER on UDP port 68; anomalous DHCP server traffic originating from non-authoritative hosts on the local network segment is a key detection signal. ↗
- ·The exploit requires the attacker to be on the same network segment as the target (private network) and must race to respond to a legitimate DHCP request before the real server; exploitation is therefore network-position-dependent and infrequent. ↗
- ·The pump receives the potentially malicious input infrequently and under certain conditions, which increases exploitation difficulty and may reduce detection opportunity windows. ↗
- ·The function pointer overwrite offset (0x195–0x198) is specific to the MQX RTCS build used in the PoC; actual offset may differ across MQX versions and target architectures (ColdFire, Kinetis, i.MX, Vybrid). ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
NXP Semiconductors MQX RTOS (Update A)
cisa_ics·2017-10-12
NXP Semiconductors MQX RTOS (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
NXP Semiconductors MQX RTOS (Update A)
Last RevisedFebruary 01, 2018
Alert CodeICSA-17-285-04A
## CVSS v3 8.1
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: NXP Semiconductors
Equipment: MQX RTOS
Vulnerabilities: Classic Buffer Overflow, Out-of-Bounds Read
## UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-17-285-04 NXP Semiconductors MQX RTOS that was published October 12, 2017, on the NCCIC/ICS-CERT web site.
## AFFECTED PRODUCTS
The following versions of MQX Real-Time Operating System (RTOS) are used in
GHSA
GHSA-84pw-5frw-ww2p: A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1
ghsa_unreviewed·2022-05-13
CVE-2017-12718 [HIGH] CWE-119 GHSA-84pw-5frw-ww2p: A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1
A Classic Buffer Overflow issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. A third-party component used in the pump does not verify input buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device. The pump receives the potentially malicious input infrequently and under certain conditions, increasing the difficulty of exploitation.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100665http://www.securityfocus.com/bid/101252https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02Ahttps://www.exploit-db.com/exploits/43776/http://www.securityfocus.com/bid/100665http://www.securityfocus.com/bid/101252https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02Ahttps://www.exploit-db.com/exploits/43776/
2018-02-15
Published