CVE-2016-9355

{"id": "CVE-2016-9355", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 0.9}]}, "published": "2017-02-13T22:59:00.240", "references": [{"url": "http://www.securityfocus.com/bid/96116", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience."}, {"lang": "es", "value": "Ha sido descubierto un problema en la unidad de Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC), versi\u00f3n 9.5 y versiones anteriores, y en la versi\u00f3n 9.7. Un usuario no autorizado con acceso f\u00edsico a una unidad de PC Alaris 8015 puede ser capaz de obtener credenciales de autenticaci\u00f3n de red inal\u00e1mbrica sin cifrar y otros datos t\u00e9cnicos sensibles mediante el desmontaje de una unidad de PC Alaris 8015 y accediendo a la memoria flash del dispositivo. Las versiones de software m\u00e1s antiguas de la unidad Alaris 8015 PC versi\u00f3n 9.5 y versiones anteriores almacenan credenciales de autenticaci\u00f3n de red inal\u00e1mbrica y otros datos t\u00e9cnicos sensibles en la memoria flash extra\u00edble del dispositivo afectado. Ser capaz de eliminar la memoria flash del dispositivo afectado reduce el riesgo de detecci\u00f3n, permitiendo a un atacante extraer los datos almacenados a conveniencia del atacante."}], "lastModified": "2017-03-16T17:08:35.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C65F8B2-E4A6-429B-BA5A-FD3FA2B7ABF3", "versionEndIncluding": "9.5"}, {"criteria": "cpe:2.3:a:bd:alaris_8015_pc_unit:9.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A084F62-ED84-4DE0-BE57-6665FB7248B6"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}