CVE-2016-8375

Severity Score

4.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.

Ha sido descubierto un problema en la unidad Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC), versión 9.5 y versiones anteriores, y en la versión 9.7 y unidad de PC 8000. Un usuario no autorizado con acceso físico a una unidad de Alaris PC afectada puede obtener credenciales de autenticación de red inalámbrica sin cifrar y otros datos técnicos confidenciales al desmontar la unidad de PC y acceder a la memoria flash del dispositivo. La unidad PC Alaris 8015, Versión 9.7 y la unidad PC 8000 almacenan credenciales de autenticación de redes inalámbricas y otros datos técnicos sensibles en la memoria flash interna. El acceso a la memoria flash interna del dispositivo afectado requeriría herramientas especiales para extraer datos y llevar a cabo este ataque en una instalación sanitaria aumentaría la probabilidad de detección.

*Credits: N/A

Attack Vector

Physical

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-28 CVE Reserved
2017-02-13 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/96113	Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01	Mitigation
https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bd Search vendor "Bd"		Alaris 8015 Pc Unit Search vendor "Bd" for product "Alaris 8015 Pc Unit"				<= 9.5 Search vendor "Bd" for product "Alaris 8015 Pc Unit" and version " <= 9.5"		-		Affected
Bd Search vendor "Bd"		Alaris 8015 Pc Unit Search vendor "Bd" for product "Alaris 8015 Pc Unit"				9.7 Search vendor "Bd" for product "Alaris 8015 Pc Unit" and version "9.7"		-		Affected