#VU8232 Information disclosure in Medfusion 4000 Wireless Syringe Infusion Pump - CVE-2017-12723
Published: September 11, 2017
Vulnerability identifier: #VU8232
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12723
CWE-ID: CWE-260
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Medfusion 4000 Wireless Syringe Infusion Pump
Medfusion 4000 Wireless Syringe Infusion Pump
Software vendor:
Smiths Medical
Smiths Medical
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to the pump stores some passwords in the configuration file. A remote attacker can gain access to arbitrary data. Successful exploitation of the vulnerability is possible if the pump is configured to allow external communications.
The weakness exists due to the pump stores some passwords in the configuration file. A remote attacker can gain access to arbitrary data. Successful exploitation of the vulnerability is possible if the pump is configured to allow external communications.
Remediation
Smiths Medical is planning to release Version 1.6.1 for the Medfusion 4000 Wireless Syringe Infusion Pump in January, 2018.