CVE-2015-3952 - OpenCVE

Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pifzer	Plum A\+3 Infusion System Plum A\+3 Infusion System Firmware Plum A\+ Infusion System Plum A\+ Infusion System Firmware Symbiq Infusion System Symbiq Infusion System Firmware

Configuration 1 [-]

AND

cpe:2.3:o:pifzer:plum_a\+_infusion_system_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:pifzer:plum_a\+_infusion_system:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:pifzer:plum_a\+3_infusion_system_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:pifzer:plum_a\+3_infusion_system:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:pifzer:symbiq_infusion_system_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:pifzer:symbiq_infusion_system:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-03-25T15:42:39

Updated: 2024-08-06T06:04:01.121Z

Reserved: 2015-05-12T00:00:00

Link: CVE-2015-3952

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-03-25T16:29:00.303

Modified: 2019-10-09T23:14:05.410

Link: CVE-2015-3952

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Plum A+ Infusion System", "vendor": "Hospira", "versions": [{"status": "affected", "version": "<= 13.4"}]}, {"product": "Plum A+3 Infusion System", "vendor": "Hospira", "versions": [{"status": "affected", "version": "<= 13.6"}]}, {"product": "Symbiq Infusion System", "vendor": "Hospira", "versions": [{"status": "affected", "version": "<= 3.13"}]}], "datePublic": "2015-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "Cleartext storage of sensitive information CWE-312", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-03-25T15:42:39", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2015-3952", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Plum A+ Infusion System", "version": {"version_data": [{"version_value": "<= 13.4"}]}}, {"product_name": "Plum A+3 Infusion System", "version": {"version_data": [{"version_value": "<= 13.6"}]}}, {"product_name": "Symbiq Infusion System", "version": {"version_data": [{"version_value": "<= 3.13"}]}}]}, "vendor_name": "Hospira"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cleartext storage of sensitive information CWE-312"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:04:01.121Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2015-3952", "datePublished": "2019-03-25T15:42:39", "dateReserved": "2015-05-12T00:00:00", "dateUpdated": "2024-08-06T06:04:01.121Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:pifzer:plum_a\\+_infusion_system_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "61C1A9DD-F143-4D0C-871C-B6CD7AF9DAB2", "versionEndIncluding": "13.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:pifzer:plum_a\\+_infusion_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "1DB2490B-0318-4770-BF45-CD7527F15D7F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:pifzer:plum_a\\+3_infusion_system_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8536E705-89E8-47CB-9567-6AD65FBA0F1B", "versionEndIncluding": "13.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:pifzer:plum_a\\+3_infusion_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "423AA561-8E38-4378-814B-1008B96F27A6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:pifzer:symbiq_infusion_system_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6DD5141-72AB-4694-8595-B4BED8EC7773", "versionEndIncluding": "3.13", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:pifzer:symbiq_infusion_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C295E1A-BF60-476D-B972-5C5C28D7633B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue."}, {"lang": "es", "value": "Las claves inal\u00e1mbricas se almacenan como texto en claro en Hospira Plum A+ Infusion System en su versi\u00f3n 13.4 y anteriores, Plum A+3 Infusion System en su versi\u00f3n 13.6 y anteriores y Symbiq Infusion System, en su versi\u00f3n 3.13 y anteriores. Hospira recomienda con los usuarios cierren el Puerto 20/FTP y el Puerto 23/TELNET en los dispositivos afectados. Hospira ha lanzado tambi\u00e9n el Plum 360 Infusion System que no es vulnerable a este problema."}], "id": "CVE-2015-3952", "lastModified": "2019-10-09T23:14:05.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-25T16:29:00.303", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "US Government Resource", "Third Party Advisory"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}