CVE-2014-5406 - Vulnerability Details - OpenCVE

ReportizFlow

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:H/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hospira	Lifecare Pca3 Lifecare Pca5 Lifecare Pcainfusion Firmware

Configuration 1 [-]

AND

cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:hospira:lifecare_pca3:-:::::::*
	cpe:2.3:h:hospira:lifecare_pca5:-:::::::*

No data.

References

Link	Providers
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01
https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

History

Mon, 03 Nov 2025 18:45:00 +0000

Type	Values Removed	Values Added
Title		Hospira LifeCare PCA Infusion System
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01
Metrics	cvssV2_0 `{'score': 9.3, 'vector': 'AV:N/AC:M/Au:N/C:C/I:C/A:C'}`	cvssV2_0 `{'score': 7.6, 'vector': 'AV:N/AC:H/Au:N/C:C/I:C/A:C'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2015-07-06T19:10:00

Updated: 2025-11-03T18:34:36.324Z

Reserved: 2014-08-22T00:00:00

Link: CVE-2014-5406

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-07-06T19:59:00.097

Modified: 2025-11-03T19:15:38.510

Link: CVE-2014-5406

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "LifeCare PCA Infusion System", "vendor": "Hospira", "versions": [{"lessThanOrEqual": "5.0", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "7.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Billy Rios"}], "datePublic": "2015-05-05T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.</p>"}], "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459."}], "metrics": [{"cvssV2_0": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-03T18:34:36.324Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01"}, {"tags": ["x_refsource_MISC"], "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"}, {"tags": ["x_refsource_MISC"], "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>ICS-CERT has been working with Hospira since May 2014 to address the \nvulnerabilities in the LifeCare PCA Infusion System. Hospira has \ndeveloped a new version of the PCS Infusion System, Version 7.0 that \naddresses the identified vulnerabilities. According to Hospira, \nVersion 7.0 has Port 20/FTP and Port 23/TELNET closed by default to \nprevent unauthorized access. Existing PCA Infusion Systems running \nVersion 5.0 can be upgraded to Version 7.0 when it becomes available. \nHospira\u2019s Version 7.0 is being reviewed by the FDA prior to its release.\n The release date for Version 7.0 of the LifeCare PCA Infusion System \nhas not been determined.</p>\n<p>For additional information about Hospira\u2019s new release, contact Hospira\u2019s technical support at 1\u2011800-241-4002.</p>\n\n<br>"}], "value": "ICS-CERT has been working with Hospira since May 2014 to address the \nvulnerabilities in the LifeCare PCA Infusion System. Hospira has \ndeveloped a new version of the PCS Infusion System, Version 7.0 that \naddresses the identified vulnerabilities. According to Hospira, \nVersion 7.0 has Port 20/FTP and Port 23/TELNET closed by default to \nprevent unauthorized access. Existing PCA Infusion Systems running \nVersion 5.0 can be upgraded to Version 7.0 when it becomes available. \nHospira\u2019s Version 7.0 is being reviewed by the FDA prior to its release.\n The release date for Version 7.0 of the LifeCare PCA Infusion System \nhas not been determined.\n\n\nFor additional information about Hospira\u2019s new release, contact Hospira\u2019s technical support at 1\u2011800-241-4002."}], "source": {"advisory": "ICSA-15-125-01", "discovery": "EXTERNAL"}, "title": "Hospira LifeCare PCA Infusion System", "x_generator": {"engine": "Vulnogram 0.5.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2014-5406", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"}, {"name": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm", "refsource": "MISC", "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"}, {"name": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/", "refsource": "MISC", "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-5406", "datePublished": "2015-07-06T19:10:00", "dateReserved": "2014-08-22T00:00:00", "dateUpdated": "2025-11-03T18:34:36.324Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hospira:lifecare_pcainfusion_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EF8A9BC-9349-4A57-A7B7-63640A066189", "versionEndIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hospira:lifecare_pca3:-:*:*:*:*:*:*:*", "matchCriteriaId": "86AC1C1C-D9FC-4EEE-B1A6-CEB03351EA58", "vulnerable": false}, {"criteria": "cpe:2.3:h:hospira:lifecare_pca5:-:*:*:*:*:*:*:*", "matchCriteriaId": "C3551213-7D88-43AC-B56A-50F063884258", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459."}, {"lang": "es", "value": "Hospira LifeCare PCA Infusion System anterior a 7.0 no valida trafico de la red asociado con el env\u00edo de (1) una librer\u00eda de drogas, (2) una actualizaci\u00f3n de software o (3) un cambio de configuraci\u00f3n, lo que permite a atacantes remotos modificar configuraciones o datos de medicamientos a trav\u00e9s de paquetes en el puerto (a) TELNET, (b) HTTP, (c) HTTPS, o (d) UPNP. NOTA: este problema podr\u00eda solapar el CVE-2015-3459."}], "id": "CVE-2014-5406", "lastModified": "2025-11-03T19:15:38.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-06T19:59:00.097", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"}, {"source": "[email protected]", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json"}, {"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01"}, {"source": "[email protected]", "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "[email protected]", "type": "Secondary"}]}