ID THREATPOST:909F16267BED7C16BE79E56FCFF93CEC Type threatpost Reporter Chris Brook Modified 2018-03-22T07:50:05
Description
One medical device company’s line of drug pumps is so fraught with vulnerabilities that the researcher that discovered the flaws claims the pump is the least secure IP-enabled device he’s ever come across.
Certain versions of Hospira’s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple remotely exploitable vulnerabilities that could not only brick the device, but with a little tweaking, also let attackers change the drug library they’re affiliated with, update the its software, and run commands.
“I would personally be very concerned if this device was being attached to me,” Jeremy Richards, a Software Security Engineer at the SAINT Corporation who dug up the bugs, wrote last week, “It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo.”
> Don't buy a Hospira PCA drug pump to do security stuff. Busybx no passwd shell on 23, no-auth CGIs, also never hook it up to a human being
>
> — dyngnosis (@dyngnosis) April 27, 2015
The affected pumps come configured with a default IP address, 192.168.0.100, that could be used by an attacker to extract wireless encryption keys, which are stored in plain text on the device. If an attacker had physical access to the device, they could not only gain access to the keys and compromise the pump, but by extension, any drug pumps in the hospital connected to its WiFi.
In a scenario Richards looked at he found WPA keys for the hospital’s wireless network on the pumps, unencrypted and in plain text, something that means that they could easily be accessed via Telnet and FTP and ultimately, if the devices were ever sold, cause a mess of trouble for the hospitals.
> Hospitals need to remove WPA keys from their devices before selling them on ebay/med surplus companies. This is a Life Critical Network.
>
> — dyngnosis (@dyngnosis) April 28, 2015
Richards, who blogs about security at HextechSecurity.com, discussed the pump’s failures last week. A CVE (CVE-2015-3459) for the issue, specifying that pumps running SW version 412 don’t require authentication for Telnet sessions and could allow remote attackers to gain root privileges via TCP port 23, was created at the National Vulnerability Database shortly after.
Richards claims that since the device has an exposed ethernet port a local physical attack could be carried out with an attack tool, like a specially rigged Raspberry Pi, in less than 5 seconds.
“This is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,” Richards wrote.
Attackers can also glean information related to hard coded local accounts and on top of that, a server, AppWeb, that runs in tandem with the device suffers from its own separate vulnerabilities as well.
The issue is complicated by the fact that even if there was authentication present on the Telnet port, it wouldn’t help, since there are several web services, exposed CGIs “linkparams” and “xmmucgi,” that don’t require authentication which an attacker could exploit to “change the drug library, update software and run commands.”
As Richards points out in his blog, he’s contacted Hospira, the medical device company that manufactures the pumps, but it apparently has no plans to either recertify or patch the devices.
The issue is the second to plague the Illinois medical device firm in the last month.
In late March a similar flaw with the company’s Windows-based MedNet platform, divulged by noted device hacker Billy Rios, surfaced.
If exploited, Hospira’s MedNet server software could be used to push unauthorized modifications to medication libraries and pump configurations. Similar to the issue with the pumps, that issue stemmed from the fact that the software, which basically manages drug libraries and how certain medicine is doled out through the pumps, used hard-coded cryptographic keys that could be intercepted by hackers.
On Wednesday Hospira claimed it was aware of the issue and that it has conferred with its customers on how to address it.
“There are no instances of Hospira devices being breached in a clinical setting and Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities,” Tareta Adams, a Hospira spokesperson said, adding that the company has had talks with the FDA and the Department of Homeland Security regarding device security.
“It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,” Adams said.
This article was updated on May 7 to include comments from Hospira
{"id": "THREATPOST:909F16267BED7C16BE79E56FCFF93CEC", "type": "threatpost", "bulletinFamily": "info", "title": "Vulnerability-Riddled Drug Pumps Open to Takeover", "description": "One medical device company\u2019s line of drug pumps is so fraught with vulnerabilities that the researcher that discovered the flaws claims the pump is the least secure IP-enabled device he\u2019s ever come across.\n\nCertain versions of Hospira\u2019s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple remotely exploitable vulnerabilities that could not only brick the device, but with a little tweaking, also let attackers change the drug library they\u2019re affiliated with, update the its software, and run commands.\n\n\u201cI would personally be very concerned if this device was being attached to me,\u201d Jeremy Richards, a Software Security Engineer at the SAINT Corporation who dug up the bugs, [wrote last week](<http://hextechsecurity.com/?p=123>), \u201cIt is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo.\u201d\n\n> Don't buy a Hospira PCA drug pump to do security stuff. Busybx no passwd shell on 23, no-auth CGIs, also never hook it up to a human being\n> \n> \u2014 dyngnosis (@dyngnosis) [April 27, 2015](<https://twitter.com/dyngnosis/status/592671049487142913>)\n\nThe affected pumps come configured with a default IP address, 192.168.0.100, that could be used by an attacker to extract wireless encryption keys, which are stored in plain text on the device. If an attacker had physical access to the device, they could not only gain access to the keys and compromise the pump, but by extension, any drug pumps in the hospital connected to its WiFi.\n\nIn a scenario Richards looked at he found WPA keys for the hospital\u2019s wireless network on the pumps, unencrypted and in plain text, something that means that they could easily be accessed via Telnet and FTP and ultimately, if the devices were ever sold, cause a mess of trouble for the hospitals.\n\n> Hospitals need to remove WPA keys from their devices before selling them on ebay/med surplus companies. This is a Life Critical Network.\n> \n> \u2014 dyngnosis (@dyngnosis) [April 28, 2015](<https://twitter.com/dyngnosis/status/593071014717698048>)\n\nRichards, who blogs about security at HextechSecurity.com, discussed the pump\u2019s failures last week. A CVE (CVE-2015-3459) for the issue, specifying that pumps running SW version 412 don\u2019t require authentication for Telnet sessions and could allow remote attackers to gain root privileges via TCP port 23, was created at the [National Vulnerability Database](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459>) shortly after.\n\nRichards claims that since the device has an exposed ethernet port a local physical attack could be carried out with an attack tool, like a specially rigged Raspberry Pi, in less than 5 seconds.\n\n\u201cThis is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,\u201d Richards wrote.\n\n[](<http://imgur.com/JHiWSqd>)\n\nAttackers can also glean information related to hard coded local accounts and on top of that, a server, AppWeb, that runs in tandem with the device suffers from its own separate vulnerabilities as well.\n\nThe issue is complicated by the fact that even if there was authentication present on the Telnet port, it wouldn\u2019t help, since there are several web services, exposed CGIs \u201clinkparams\u201d and \u201cxmmucgi,\u201d that don\u2019t require authentication which an attacker could exploit to \u201cchange the drug library, update software and run commands.\u201d\n\nAs Richards points out in his blog, he\u2019s contacted Hospira, the medical device company that manufactures the pumps, but it apparently has no plans to either recertify or patch the devices.\n\nThe issue is the second to plague the Illinois medical device firm in the last month.\n\nIn late March [a similar flaw](<https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03>) with the company\u2019s Windows-based MedNet platform, divulged by noted device hacker Billy Rios, surfaced.\n\nIf exploited, Hospira\u2019s MedNet server software could be used to push unauthorized modifications to medication libraries and pump configurations. Similar to the issue with the pumps, that issue stemmed from the fact that the software, which basically manages drug libraries and how certain medicine is doled out through the pumps, used hard-coded cryptographic keys that could be intercepted by hackers.\n\nOn Wednesday Hospira claimed it was aware of the issue and that it has conferred with its customers on how to address it.\n\n\u201cThere are no instances of Hospira devices being breached in a clinical setting and Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities,\u201d Tareta Adams, a Hospira spokesperson said, adding that the company has had talks with the FDA and the Department of Homeland Security regarding device security.\n\n\u201cIt\u2019s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,\u201d Adams said.\n\n_This article was updated on May 7 to include comments from Hospira_\n", "published": "2015-05-05T14:34:02", "modified": "2018-03-22T07:50:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/vulnerability-riddled-drug-pumps-open-to-takeover/112629/", "reporter": "Chris Brook", "references": ["http://hextechsecurity.com/?p=123", "https://twitter.com/dyngnosis/status/592671049487142913", "https://twitter.com/dyngnosis/status/593071014717698048", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459", "http://imgur.com/JHiWSqd", "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03"], "cvelist": ["CVE-2015-3459"], "lastseen": "2018-10-06T22:56:56", "viewCount": 2, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-10-06T22:56:56", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-3459"]}, {"type": "ics", "idList": ["ICSA-15-125-01B"]}], "modified": "2018-10-06T22:56:56", "rev": 2}, "vulnersScore": 6.2}}
{"cve": [{"lastseen": "2021-02-02T06:21:24", "description": "The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.", "edition": 6, "cvss3": {}, "published": "2015-04-29T23:59:00", "title": "CVE-2015-3459", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3459"], "modified": "2017-01-03T19:16:00", "cpe": ["cpe:/h:hospira:lifecare_pca3:-", "cpe:/o:hospira:lifecare_pcainfusion_firmware:5.0", "cpe:/h:hospira:lifecare_pca5:-"], "id": "CVE-2015-3459", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:h:hospira:lifecare_pca5:-:*:*:*:*:*:*:*", "cpe:2.3:h:hospira:lifecare_pca3:-:*:*:*:*:*:*:*", "cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:5.0:*:*:*:*:*:*:*"]}], "ics": [{"lastseen": "2021-02-27T19:54:27", "bulletinFamily": "info", "cvelist": ["CVE-2014-5406", "CVE-2015-1011", "CVE-2015-1012", "CVE-2015-3459", "CVE-2015-3955", "CVE-2015-3957", "CVE-2015-3958"], "description": "## OVERVIEW\n\nThis updated advisory is a follow-up to the updated advisory titled ICSA-15-125-01A Hospira LifeCare PCA Infusion System Vulnerabilities that was published May 13, 2015, on the NCCIC/ICS-CERT web site.\n\n### **\\--------- Begin Update B Part 1 of 9 --------**\n\nIndependent researcher Billy Rios has identified vulnerabilities in Hospira\u2019s LifeCare PCA Infusion System, which ICS-CERT has been coordinating with Hospira since May 2014. Kyle Kamke of Ramparts, LLC has independently identified an uncontrolled resource consumption vulnerability in Hospira\u2019s Symbiq Infusion System. Hospira has not validated that this vulnerability exists on the LifeCare PCA System.\n\n### **\\--------- End Update B Part 1 of 9 ----------**\n\nICS-CERT has become aware of publicly disclosed vulnerabilities in the LifeCare Infusion System, which have been validated by Hospira. ICS-CERT is reporting on these additional vulnerabilities identified by \u201ctech\u201d to provide notice, so that asset owners and operators can take additional defensive measures to mitigate risks associated with these vulnerabilities.\n\nHospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Hospira has submitted a premarket 510(k) submission of the new LifeCare PCA Infusion System to the U.S. Food and Drug Administration (FDA), and this submission is currently under review. The release of the new system will be dependent on the clearance of Hospira\u2019s 510(k).\n\nThese vulnerabilities could be exploited remotely. Exploits that target some of these vulnerabilities are known to be publicly available.\n\n## AFFECTED PRODUCTS\n\nThe following Hospira products are affected:\n\n * LifeCare PCA Infusion System, Version 5.0 and prior versions.\n\n## IMPACT\n\n### **\\--------- Begin Update B Part 2 of 9 --------**\n\nSuccessful exploitation of these vulnerabilities, in a worst case scenario, may allow an attacker to impact the core functions of the device.\n\n### **\\--------- End Update B Part 2 of 9 ----------**\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nHospira is a US-based company that maintains offices in several countries around the world.\n\nThe affected product, the LifeCare PCA Infusion System, is an intravenous pump that delivers medication to patients. The affected products are deployed across the Healthcare and Public Health Sector. Hospira estimates that these products are primarily used in the US and Canada.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### **\\--------- Begin Update B Part 3 of 9 --------**\n\n### STACK-BASED BUFFER OVERFLOWa\n\nThe researcher has evaluated the device and asserts that the device contains a buffer overflow vulnerability that could be exploited to allow execution of arbitrary code on the device. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers\u2019 awareness, so that additional monitoring and controls can be applied.\n\nCVE-2015-3955b has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).c\n\n### **\\--------- End Update B Part 3 of 9 ----------**\n\n### IMPROPER AUTHORIZATIONd\n\nThe LifeCare PCA Infusion pump\u2019s communication module gives unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user may be able to issue commands to modify the wireless configuration of the pump.\n\nCVE-2015-3459e has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).f\n\n### **\\--------- Begin Update B Part 4 of 9 --------**\n\n### INSUFFICIENT VERIFICATION OF DATA AUTHENTICITYg\n\nThe LifeCare PCA Infusion pump could have drug libraries, software updates, and configuration changes uploaded to it from an unauthorized source. The LifeCare PCA Infusion pump listens on the following ports: Port 20/FTP, Port 23/TELNET, Port 80/HTTP, Port 443/HTTPS, and Port 5000/UPNP.\n\nCVE-2014-5406h has been assigned to this vulnerability. A CVSS v2 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:H/Au:N/C:C/I:C/A:C).i\n\n### **\\--------- End Update B Part 4 of 9 ----------**\n\n### USE OF HARDCODED PASSWORDj\n\nHardcoded accounts may be used to access the device.\n\nCVE-2015-1011k has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).l\n\n### CLEARTEXT STORAGE OF SENSITIVE INFORMATIONm\n\nWireless keys are stored in plain text on Version 5 of the LifeCare PCA Infusion System. According to Hospira, Version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting.\n\nCVE-2015-1012n has been assigned to this vulnerability. A CVSS v2 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:N).o\n\n### **\\--------- Begin Update B Part 5 of 9 --------**\n\n### KEY MANAGEMENT ERRORSp\n\nPrivate keys and certificates are stored on the device.\n\nCVE-2015-3957q has been assigned to this vulnerability. A CVSS v2 base score of 4.6 has been assigned; the CVSS vector string is (AV:L/AC:L/Au:N/C:P/I:P/A:P).r\n\n### **\\--------- End Update B Part 5 of 9 ----------**\n\n### VULNERABLE SOFTWARE VERSION USED\n\nThe web server is reportedly running vulnerable versions of AppWeb, to include Version 1.0.2, which contain numerous vulnerabilities. This vulnerability impacts LifeCare PCA Infusion Systems Version 5, prior to Version 5.07. According to Hospira, Version 3 of the LifeCare PCA Infusion System does not have wireless capability and, therefore, does not use the vulnerable versions of AppWeb.\n\n### **\\--------- Begin Update B Part 6 of 9 --------**\n\n### UNCONTROLLED RESOURCE CONSUMPTIONs\n\nThe device is susceptible to a denial of service condition as a result of an overflow of TCP packets, which requires the device to be manually rebooted. This vulnerability has not been validated by Hospira; however, acting out of an abundance of caution, ICS-CERT is including this information to enhance healthcare providers\u2019 awareness, so that additional monitoring and controls can be applied.\n\nCVE-2015-3958t has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).u\n\n### **\\--------- End Update B Part 6 of 9 ----------**\n\n### VULNERABILITY DETAILS\n\n### **\\--------- Begin Update B Part 7 of 9 --------**\n\n#### EXPLOITABILITY\n\nAll but one of these vulnerabilities could be exploited remotely.\n\n### **\\--------- End Update B Part 7 of 9 ----------**\n\n#### EXISTENCE OF EXPLOIT\n\nExploits that target some of these vulnerabilities are known to be publicly available.\n\n### **\\--------- Begin Update B Part 8 of 9 --------**\n\n#### DIFFICULTY\n\nAn attacker with low skill would be able to exploit all but two of these vulnerabilities; the remaining vulnerabilities would require high skill to exploit.\n\n### **\\--------- End Update B Part 8 of 9 ----------**\n\n## MITIGATION\n\nICS-CERT has been working with Hospira since May 2014 to address the vulnerabilities in the LifeCare PCA Infusion System. Hospira has developed a new version of the PCS Infusion System, Version 7.0 that addresses the identified vulnerabilities. According to Hospira, Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.\n\nHospira has developed a new version of the LifeCare PCA Infusion System and has stated that this new version will mitigate these vulnerabilities. Specifically, the new version is intended to:\n\n * Mitigate unauthorized remote access to the device,\n * Disable the ability for unauthorized changes to the medication library,\n * Remove hard-coded passwords to gain access to the device,\n * Encrypt storage of wireless network keys, and\n * Ensure that the vulnerable versions of AppWeb are no longer used.\n\nExisting PCA Infusion Systems running Version 5.0 can be upgraded to Version 7.0 when it becomes available. Hospira will be retiring older versions of the LifeCare PCA Infusion System, Versions 2 and Versions 3, by the end of the year, 2015.\n\nHospira\u2019s premarket 510(k) submission for the new LifeCare PCA Infusion System (Version 7.0) is currently being reviewed by the FDA. The release of the new system will be dependent on the clearance of Hospira\u2019s 510(k).\n\nFor additional information about Hospira\u2019s upcoming release, contact Hospira\u2019s technical support at 1-800-241-4002.\n\nICS-CERT strongly encourages asset owners to perform a risk assessment by examining their specific clinical use of the LifeCare PCA Infusion System in their host environment to identify any potential impacts of the identified vulnerabilities. ICS-CERT offers the following compensating options:\n\n * Temporarily disconnect the affected LifeCare PCA Infusion System from the wireless network until unused ports on the device are closed, to include Port 20/FTP and Port 23/TELNET. Once the unused ports have been closed, reconnecting the affected device to the wireless network should be done after ensuring that the host network is isolated from the Internet. The affected LifeCare PCA Infusion Systems should be isolated from untrusted systems; traffic to the device should be selectively controlled and monitored for anomalous activity.\n * Disconnect the affected LifeCare PCA Infusion System from the wireless network and use a wired connection to the host network. The operational concerns associated with this option are primarily associated with the initial setup of the wired connection and verifying that the host network effectively implements good design practices prior to connection of the LifeCare PCA Infusion System.\n * If neither of the previous two options are feasible, then disconnect the affected LifeCare PCA Infusion System from the wireless network until mitigations are available. Disconnecting the affected device from the wireless network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually and data normally transmitted to MedNet from the device, will not be available. Manual updates to each pump can be labor intensive and prone to entry error.\n\nICS-CERT encourages asset owners to implement the following defensive measures to protect against this and other cybersecurity risks. Specifically, users should:\n\n * Ensure that unused ports are closed, to include Port 20/FTP and Port 23/TELNET.\n\n### **\\--------- Begin Update B Part 9 of 9 --------**\n\n * Hospira strongly recommends that healthcare providers change the default password used to access Port 8443.\n * Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443.\n\n### **\\--------- End Update B Part 9 of 9 ----------**\n\n * Maintain layered physical and logical security to implement defense-in-depth security practices for environments operating medical devices.\n * Isolate the LifeCare PCA Infusion pump from the Internet and untrusted systems.\n * Produce an MD5 checksum of key files to identify any unauthorized changes.\n * Use good design practices that include network segmentation. Use DMZs with properly configured firewalls to selectively control traffic and monitor traffic passed between zones and systems to identify anomalous activity. Use the static nature of these isolated environments to look for anomalous activities.\n\nICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * aCWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed June 10, 2015.\n * bNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3955, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * cCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:N/C:C/I:C/A:C, web site last accessed June 10, 2015.\n * dCWE-285: Improper Authorization, http://cwe.mitre.org/data/definitions/285.html, web site last accessed May 13, 2015.\n * eNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459, web site last accessed May 13, 2015.\n * fCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web site last accessed May 13, 2015.\n * gCWE-345: Insufficient Verification of Data Authenticity, http://cwe.mitre.org/data/definitions/345.html, web site last accessed June 10, 2015.\n * hNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5406, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * iCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:N/C:C/I:C/A:C, web site last accessed June 10, 2015.\n * jCWE-259: Use of Hard-coded Password, http://cwe.mitre.org/data/definitions/259.html, web site last accessed May 13, 2015.\n * kNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1011, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * lCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web site last accessed May 13, 2015.\n * mCWE-312: Cleartext Storage of Sensitive Information, http://cwe.mitre.org/data/definitions/312.html, web site last accessed May 13, 2015.\n * nNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1012, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * oCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:N, web site last accessed May 13, 2015.\n * pCWE-320: Key Management Errors, http://cwe.mitre.org/data/definitions/320.html, web site last accessed June 10, 2015.\n * qNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3957, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * rCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:L/Au:N/C:P/I:P/A:P, web site last accessed June 10, 2015.\n * sCWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'), http://cwe.mitre.org/data/definitions/400.html, web site last accessed June 10, 2015.\n * tNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3958, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * uCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, web site last accessed June 10, 2015.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-15-125-01B>); we'd welcome your feedback.\n", "modified": "2018-08-23T00:00:00", "published": "2015-06-10T00:00:00", "id": "ICSA-15-125-01B", "href": "https://www.us-cert.gov/ics/advisories/ICSA-15-125-01B", "type": "ics", "title": "Hospira LifeCare PCA Infusion System Vulnerabilities (Update B)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
