CVE-2017-12720 - OpenCVE

An Improper Access Control issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Smiths-medical	Medfusion 4000 Wireless Syringe Infusion Pump

Configuration 1 [-]

AND

OR	cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.1:::::::*
	cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.5:::::::*
	cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.6:::::::*

cpe:2.3:h:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/100665
https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-02-15T10:00:00

Updated: 2024-08-05T18:43:56.602Z

Reserved: 2017-08-09T00:00:00

Link: CVE-2017-12720

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-02-15T10:29:00.273

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-12720

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump", "vendor": "n/a", "versions": [{"status": "affected", "version": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump"}]}], "datePublic": "2018-02-15T00:00:00", "descriptions": [{"lang": "en", "value": "An Improper Access Control issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-15T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A"}, {"name": "100665", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100665"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-12720", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump", "version": {"version_data": [{"version_value": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Improper Access Control issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A"}, {"name": "100665", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100665"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:43:56.602Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A"}, {"name": "100665", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100665"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-12720", "datePublished": "2018-02-15T10:00:00", "dateReserved": "2017-08-09T00:00:00", "dateUpdated": "2024-08-05T18:43:56.602Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "E9DB2BFA-A772-4A90-B79B-D6FB2090A63C", "vulnerable": true}, {"criteria": "cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "AC867D0F-2FF0-4E99-87FF-84A873F56341", "vulnerable": true}, {"criteria": "cpe:2.3:o:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "048B188C-D620-42EE-84D5-61C3F03F7FAA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:smiths-medical:medfusion_4000_wireless_syringe_infusion_pump:-:*:*:*:*:*:*:*", "matchCriteriaId": "9874E6FE-4025-484B-A7D4-62824A299ECA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections."}, {"lang": "es", "value": "Se ha descubierto un problema de control de acceso incorrecto en Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, en versiones 1.1, 1.5 y 1.6. El servidor FTP en la bomba no requiere autenticaci\u00f3n si la bomba est\u00e1 configurada para permitir conexiones FTP."}], "id": "CVE-2017-12720", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-15T10:29:00.273", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100665"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}