CVE-2023-30561 - OpenCVE

The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Bd	Alaris 8015 Pcu Alaris 8015 Pcu Firmware

Configuration 1 [-]

AND

cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: BD

Published: 2023-07-13T19:03:17.356Z

Updated: 2023-07-13T19:03:17.356Z

Reserved: 2023-04-12T16:30:07.537Z

Link: CVE-2023-30561

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-13T20:15:09.013

Modified: 2023-07-25T18:51:56.870

Link: CVE-2023-30561

JSON object: View

Redhat Information

No data.

CWE

CWE-311

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-30561", "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "state": "PUBLISHED", "assignerShortName": "BD", "dateReserved": "2023-04-12T16:30:07.537Z", "datePublished": "2023-07-13T19:03:17.356Z", "dateUpdated": "2023-07-13T19:03:17.356Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "BD Alaris\u00e2\u201e\u00a2 Point-of-Care Unit (PCU) Model 8015", "vendor": "Becton Dickinson & Co", "versions": [{"lessThanOrEqual": "12.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-07-13T18:56:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "impacts": [{"capecId": "CAPEC-390", "descriptions": [{"lang": "en", "value": "CAPEC-390 Bypassing Physical Security"}]}, {"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", "shortName": "BD", "dateUpdated": "2023-07-13T19:03:17.356Z"}, "references": [{"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"}], "source": {"discovery": "INTERNAL"}, "title": "Lack of Cryptographic Security of IUI Bus ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:bd:alaris_8015_pcu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F594B01D-BC1A-46AE-9251-F4BBAE6178D5", "versionEndIncluding": "12.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bd:alaris_8015_pcu:-:*:*:*:*:*:*:*", "matchCriteriaId": "5909B9D0-07A7-4AA1-8FF4-CE6DEBCE14DA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."}], "id": "CVE-2023-30561", "lastModified": "2023-07-25T18:51:56.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "cybersecurity@bd.com", "type": "Secondary"}]}, "published": "2023-07-13T20:15:09.013", "references": [{"source": "cybersecurity@bd.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"}], "sourceIdentifier": "cybersecurity@bd.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "cybersecurity@bd.com", "type": "Secondary"}]}