{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "other", "text": "No known public exploits specifically target this vulnerability.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "CISAservicedesk@cisa.dhs.gov", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSMA-17-017-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-017-01.json" }, { "category": "self", "summary": "ICS Advisory ICSMA-17-017-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-017-01" } ], "title": "ICSMA-17-017-01_BD Alaris 8000 Insufficiently Protected Credentials Vulnerability", "tracking": { "current_release_date": "2017-02-07T00:00:00.000000Z", "generator": { "engine": { "name": "CISA USCert CSAF Generator", "version": "1" } }, "id": "ICSMA-17-017-01", "initial_release_date": "2017-01-17T00:00:00.000000Z", "revision_history": [ { "date": "2017-01-17T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSMA-17-017-01P BD Alaris 8000 Insufficiently Protected Credentials Vulnerability" }, { "date": "2017-02-07T00:00:00.000000Z", "legacy_version": "A", "number": "2", "summary": "ICSMA-17-017-01 BD Alaris 8000 Insufficiently Protected Credentials Vulnerability (Update A)" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "vers:all/*", "product": { "name": "Alaris 8000 PC unit: all versions", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "Alaris 8000 PC unit" } ], "category": "vendor", "name": "Becton, Dickinson and Company (BD)" } ] }, "vulnerabilities": [ { "cve": "CVE-2016-8375", "cwe": { "id": "CWE-522", "name": "Insufficiently Protected Credentials" }, "notes": [ { "category": "summary", "text": "An unauthorized user with physical access to an Alaris 8000 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8000 PC unit and accessing the device 's flash memory. The Alaris 8000 PC unit stores wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "BD has released a security bulletin for the Alaris PC unit (PCU) model 8000, which is available at the following location:", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2016-8375" } ] }