A vulnerability was found in Hospira Plum A+ Infusion System, Plum A+3 Infusion System and Symbiq Infusion System (Medical Device Software) (the affected version is unknown). It has been classified as critical. This affects an unknown code of the component Telnet Service. The manipulation with an unknown input leads to a improper authorization vulnerability. CWE is classifying the issue as CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

The weakness was released 03/25/2019. This vulnerability is uniquely identified as CVE-2015-3954 since 05/12/2015. The attack needs to be initiated within the local network. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1548.002 according to MITRE ATT&CK.

It is possible to mitigate the weakness by firewalling tcp/23 (telnet).

Entries connected to this vulnerability are available at 132172, 132170 and 132169.

Productinfo

Type

• Medical Device Software

Vendor

• Hospira

Name

• Plum A+3 Infusion System
• Plum A+ Infusion System
• Symbiq Infusion System

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion