// For flags

CVE-2016-9355

 

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience.

Ha sido descubierto un problema en la unidad de Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC), versión 9.5 y versiones anteriores, y en la versión 9.7. Un usuario no autorizado con acceso físico a una unidad de PC Alaris 8015 puede ser capaz de obtener credenciales de autenticación de red inalámbrica sin cifrar y otros datos técnicos sensibles mediante el desmontaje de una unidad de PC Alaris 8015 y accediendo a la memoria flash del dispositivo. Las versiones de software más antiguas de la unidad Alaris 8015 PC versión 9.5 y versiones anteriores almacenan credenciales de autenticación de red inalámbrica y otros datos técnicos sensibles en la memoria flash extraíble del dispositivo afectado. Ser capaz de eliminar la memoria flash del dispositivo afectado reduce el riesgo de detección, permitiendo a un atacante extraer los datos almacenados a conveniencia del atacante.

*Credits: N/A
CVSS Scores
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-16 CVE Reserved
  • 2017-02-13 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-255: Credentials Management Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Bd
Search vendor "Bd"
 Alaris 8015 Pc Unit
Search vendor "Bd" for product "Alaris 8015 Pc Unit"
 <= 9.5
Search vendor "Bd" for product "Alaris 8015 Pc Unit" and version " <= 9.5"
-
Affected
Bd
Search vendor "Bd"
 Alaris 8015 Pc Unit
Search vendor "Bd" for product "Alaris 8015 Pc Unit"
 9.7
Search vendor "Bd" for product "Alaris 8015 Pc Unit" and version "9.7"
-
Affected