CVE-2018-5457 - OpenCVE

A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application.

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows Xp
Vyaire	Carefusion Upgrade Utility

Configuration 1 [-]

AND

cpe:2.3:a:vyaire:carefusion_upgrade_utility:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/102983	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2018-02-06T20:00:00

Updated: 2018-02-13T10:57:01

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5457

JSON object: View

NVD Information

Status : Modified

Published: 2018-02-06T21:29:00.473

Modified: 2019-10-09T23:41:23.797

Link: CVE-2018-5457

JSON object: View

Redhat Information

No data.

CWE

CWE-427

{"containers": {"cna": {"affected": [{"product": "Vyaire Medical CareFusion Upgrade Utility Vulnerability", "vendor": "n/a", "versions": [{"status": "affected", "version": "Vyaire Medical CareFusion Upgrade Utility Vulnerability"}]}], "datePublic": "2018-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-02-13T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}, {"name": "102983", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102983"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2018-5457", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Vyaire Medical CareFusion Upgrade Utility Vulnerability", "version": {"version_data": [{"version_value": "Vyaire Medical CareFusion Upgrade Utility Vulnerability"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-427"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}, {"name": "102983", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102983"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-5457", "datePublished": "2018-02-06T20:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2018-02-13T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyaire:carefusion_upgrade_utility:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B2D1C6A-8C44-4993-9DC1-2A92F8B42A25", "versionEndIncluding": "2.0.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*", "matchCriteriaId": "B47EBFCC-1828-45AB-BC6D-FB980929A81A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A uncontrolled search path element issue was discovered in Vyaire Medical CareFusion Upgrade Utility used with Windows XP systems, Versions 2.0.2.2 and prior versions. A successful exploit of this vulnerability requires the local user to install a crafted DLL on the target machine. The application loads the DLL and gives the attacker access at the same privilege level as the application."}, {"lang": "es", "value": "Se ha descubierto un problema de elemento de ruta de b\u00fasqueda no controlado en Vyaire Medical CareFusion Upgrade Utility, empleado en sistemas Windows XP, en versiones 2.0.2.2 y anteriores. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad requiere que el usuario local instale un DLL malicioso en la m\u00e1quina objetivo. La aplicaci\u00f3n carga el DLL y proporciona al atacante acceso al mismo nivel de privilegios que la aplicaci\u00f3n."}], "id": "CVE-2018-5457", "lastModified": "2019-10-09T23:41:23.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-06T21:29:00.473", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102983"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}