Lucene search

[email protected]CVE-2017-12721

HistoryFeb 15, 2018 - 10:29 a.m.

CVE-2017-12721

2018-02-1510:29:00

CWE-295

[email protected]

web.nvd.nist.gov

cve-2017-12721

improper certificate validation

smiths medical

medfusion 4000

wireless syringe infusion pump

mitm attack

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.0%

JSON

An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

Affected configurations

NVD

Node

smiths-medicalmedfusion_4000_wireless_syringe_infusion_pumpMatch1.1

smiths-medicalmedfusion_4000_wireless_syringe_infusion_pumpMatch1.5

smiths-medicalmedfusion_4000_wireless_syringe_infusion_pumpMatch1.6

AND

smiths-medicalmedfusion_4000_wireless_syringe_infusion_pumpMatch-

CPENameOperatorVersion
smiths-medical:medfusion_4000_wireless_syringe_infusion_pumpsmiths-medical medfusion 4000 wireless syringe infusion pumpeq1.1
smiths-medical:medfusion_4000_wireless_syringe_infusion_pumpsmiths-medical medfusion 4000 wireless syringe infusion pumpeq1.5
smiths-medical:medfusion_4000_wireless_syringe_infusion_pumpsmiths-medical medfusion 4000 wireless syringe infusion pumpeq1.6

CPE	Name	Operator	Version
smiths-medical:medfusion_4000_wireless_syringe_infusion_pump	smiths-medical medfusion 4000 wireless syringe infusion pump	eq	1.1
smiths-medical:medfusion_4000_wireless_syringe_infusion_pump	smiths-medical medfusion 4000 wireless syringe infusion pump	eq	1.5
smiths-medical:medfusion_4000_wireless_syringe_infusion_pump	smiths-medical medfusion 4000 wireless syringe infusion pump	eq	1.6

CNA Affected

[
  {
    "product": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump"
      }
    ]
  }
]

References

www.securityfocus.com/bid/100665

ics-cert.us-cert.gov/advisories/ICSMA-17-250-02A

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.0%

JSON

Related for CVE-2017-12721

nvd1 prion1 cvelist1 thn1 ics1