CVE-2018-5457 - OpenCVE

A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows Xp
Vyaire	Carefusion Upgrade Utility

Configuration 1 [-]

AND

cpe:2.3:a:vyaire:carefusion_upgrade_utility:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102983
https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-02-06T20:00:00

Updated: 2024-08-05T05:33:44.396Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5457

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-06T21:29:00.473

Modified: 2019-10-09T23:41:23.797

Link: CVE-2018-5457

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Vyaire Medical CareFusion Upgrade Utility Vulnerability", "vendor": "n/a", "versions": [{"status": "affected", "version": "Vyaire Medical CareFusion Upgrade Utility Vulnerability"}]}], "datePublic": "2018-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-02-13T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}, {"name": "102983", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102983"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2018-5457", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vyaire Medical CareFusion Upgrade Utility Vulnerability", "version": {"version_data": [{"version_value": "Vyaire Medical CareFusion Upgrade Utility Vulnerability"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-427"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}, {"name": "102983", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102983"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:33:44.396Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}, {"name": "102983", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102983"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-5457", "datePublished": "2018-02-06T20:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-08-05T05:33:44.396Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyaire:carefusion_upgrade_utility:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B2D1C6A-8C44-4993-9DC1-2A92F8B42A25", "versionEndIncluding": "2.0.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*", "matchCriteriaId": "B47EBFCC-1828-45AB-BC6D-FB980929A81A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}, {"lang": "es", "value": "Se ha descubierto un problema de elemento de ruta de b\u00fasqueda no controlado en Vyaire Medical CareFusion Upgrade Utility, empleado en sistemas Windows XP, en versiones 2.0.2.2 y anteriores. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad requiere que el usuario local instale un DLL malicioso en la m\u00e1quina objetivo. La aplicaci\u00f3n carga el DLL y proporciona al atacante acceso al mismo nivel de privilegios que la aplicaci\u00f3n."}], "id": "CVE-2018-5457", "lastModified": "2019-10-09T23:41:23.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-06T21:29:00.473", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102983"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}