CVE-2023-30561 - OpenCVE

The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bd	Alaris 8015 Pcu Alaris 8015 Pcu Firmware

Configuration 1 [-]

AND

cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*

cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx

History

No history.

MITRE

Status: PUBLISHED

Assigner: BD

Published: 2023-07-13T19:03:17.356Z

Updated: 2024-08-02T14:28:51.672Z

Reserved: 2023-04-12T16:30:07.537Z

Link: CVE-2023-30561

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-13T20:15:09.013

Modified: 2023-07-25T18:51:56.870

Link: CVE-2023-30561

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30561", "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "state": "PUBLISHED", "assignerShortName": "BD", "dateReserved": "2023-04-12T16:30:07.537Z", "datePublished": "2023-07-13T19:03:17.356Z", "dateUpdated": "2024-08-02T14:28:51.672Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "BD Alaris\u00e2\u201e\u00a2 Point-of-Care Unit (PCU) Model 8015", "vendor": "Becton Dickinson & Co", "versions": [{"lessThanOrEqual": "12.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-07-13T18:56:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "impacts": [{"capecId": "CAPEC-390", "descriptions": [{"lang": "en", "value": "CAPEC-390 Bypassing Physical Security"}]}, {"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "shortName": "BD", "dateUpdated": "2023-07-13T19:03:17.356Z"}, "references": [{"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"}], "source": {"discovery": "INTERNAL"}, "title": "Lack of Cryptographic Security of IUI Bus ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:28:51.672Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", "matchCriteriaId": "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F594B01D-BC1A-46AE-9251-F4BBAE6178D5", "versionEndIncluding": "12.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "id": "CVE-2023-30561", "lastModified": "2023-07-25T18:51:56.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "cybersecurity@bd.com", "type": "Secondary"}]}, "published": "2023-07-13T20:15:09.013", "references": [{"source": "cybersecurity@bd.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"}], "sourceIdentifier": "cybersecurity@bd.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "cybersecurity@bd.com", "type": "Secondary"}]}