Vulnerability-Lookup

CVE-2018-18562 (GCVE-0-2018-18562)

Vulnerability from cvelistv5 – Published: 2018-11-20 19:00 – Updated: 2024-08-05 11:15

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

CNVD-2019-08983

Vulnerability from cnvd - Published: 2019-04-03

Title

Roche Accu-Chek Inform II Base Unit/Base Unit Hub和CoaguChek/cobas h232 Handheld Base Unit授权问题漏洞

Description

Roche Accu-Chek Inform II Base Unit/Base Unit Hub和CoaguChek/cobas h232 Handheld Base Unit都是瑞士罗氏（Roche）公司的手持式血液检测医疗设备。 Roche Accu-Chek Inform II Base Unit/Base Unit Hub 03.01.04之前的版本和CoaguChek/cobas h232 Handheld Base Unit 03.01.04之前的版本中存在授权问题漏洞。攻击者可利用该漏洞在操作系统上执行任意命令。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新 https://www.roche.com/

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01

Impacted products

Name
['Roche Accu-Chek Inform II Base Unit/Base Unit Hub <03.01.04', 'Roche CoaguChek/cobas h232 Handheld Base Unit <03.01.04']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-18562"
    }
  },
  "description": "Roche Accu-Chek Inform II Base Unit/Base Unit Hub\u548cCoaguChek/cobas h232 Handheld Base Unit\u90fd\u662f\u745e\u58eb\u7f57\u6c0f\uff08Roche\uff09\u516c\u53f8\u7684\u624b\u6301\u5f0f\u8840\u6db2\u68c0\u6d4b\u533b\u7597\u8bbe\u5907\u3002\n\nRoche Accu-Chek Inform II Base Unit/Base Unit Hub 03.01.04\u4e4b\u524d\u7684\u7248\u672c\u548cCoaguChek/cobas h232 Handheld Base Unit 03.01.04\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Niv Yehezkel of Medigate",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\r\nhttps://www.roche.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-08983",
  "openTime": "2019-04-03",
  "products": {
    "product": [
      "Roche Accu-Chek Inform II Base Unit/Base Unit Hub \u003c03.01.04",
      "Roche CoaguChek/cobas h232 Handheld Base Unit \u003c03.01.04"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01",
  "serverity": "\u4f4e",
  "submitTime": "2018-11-07",
  "title": "Roche Accu-Chek Inform II Base Unit/Base Unit Hub\u548cCoaguChek/cobas h232 Handheld Base Unit\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

ICSMA-18-310-01

Vulnerability from csaf_cisa - Published: 2018-11-06 00:00 - Updated: 2018-11-08 00:00

Summary

Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

Switzerland

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Niv Yehezkel"
        ],
        "organization": "Medigate",
        "summary": "reporting these vulnerabilities to Roche"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Switzerland",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-18-310-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsma-18-310-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-18-310-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Roche Diagnostics Point of Care Handheld Medical Devices (Update A)",
    "tracking": {
      "current_release_date": "2018-11-08T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-18-310-01",
      "initial_release_date": "2018-11-06T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2018-11-06T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices"
        },
        {
          "date": "2018-11-08T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSMA-18-310-01 Roche Diagnostics Point of Care Handheld Medical Devices (Update A)"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Accu-Chek Inform II",
                "product": {
                  "name": "Point of Care handheld medical devices - Accu-Chek Inform II",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "CoaguChek Pro II",
                "product": {
                  "name": "Point of Care handheld medical devices - CoaguChek Pro II",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "CoaguChek XS Plus",
                "product": {
                  "name": "Point of Care handheld medical devices - CoaguChek XS Plus",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "CoaguChek XS Pro",
                "product": {
                  "name": "Point of Care handheld medical devices - CoaguChek XS Pro",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cobas h 232 POC",
                "product": {
                  "name": "Point of Care handheld medical devices - cobas h 232 POC",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "base units (BU)|handheld base units (HBU)",
                "product": {
                  "name": "Point of Care handheld medical devices - Including the related base units (BU), base unit hubs and handheld base units (HBU).",
                  "product_id": "CSAFPID-0006"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Accu-Chek Inform II Base Unit Light",
                "product": {
                  "name": "Point of Care handheld medical devices - Accu-Chek Inform II Base Unit Light",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or newer",
                "product": {
                  "name": "Point of Care handheld medical devices - Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or newer",
                  "product_id": "CSAFPID-0008"
                }
              }
            ],
            "category": "product_name",
            "name": "Point of Care handheld medical devices"
          }
        ],
        "category": "vendor",
        "name": "Roche Diagnostics"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-18561",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface. CVE-2018-18561 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).. Affected products:CVE-2018-18561 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18561"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For non-connected devices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For further information or concerns, please contact a local Roche Diagnostics office at the following location:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "https://www.roche.com/about/business/roche_worldwide.htm",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ],
          "url": "https://www.roche.com/about/business/roche_worldwide.htm"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-18562",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating systems. CVE-2018-18562 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).. Affected products:CVE-2018-18562 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18562"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For non-connected devices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For further information or concerns, please contact a local Roche Diagnostics office at the following location:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "https://www.roche.com/about/business/roche_worldwide.htm",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ],
          "url": "https://www.roche.com/about/business/roche_worldwide.htm"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.0,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-18563",
      "cwe": {
        "id": "CWE-434",
        "name": "Unrestricted Upload of File with Dangerous Type"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A vulnerability in the software update mechanism allows an attacker in adjacent network to overwrite arbitrary files on the system through a crafted update package. CVE-2018-18563 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).. Affected products: Affected products:. Accu-Chek Inform II Instrument - all versions before 03.06.00 (serial number below 14000) / 04.03.00 (serial Number above 14000)CVE-2018-18563 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18563"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For non-connected devices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For further information or concerns, please contact a local Roche Diagnostics office at the following location:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "https://www.roche.com/about/business/roche_worldwide.htm",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ],
          "url": "https://www.roche.com/about/business/roche_worldwide.htm"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.0,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-18564",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted message. CVE-2018-18564 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).. Affected Products:CVE-2018-18564 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18564"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For non-connected devices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For further information or concerns, please contact a local Roche Diagnostics office at the following location:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "https://www.roche.com/about/business/roche_worldwide.htm",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ],
          "url": "https://www.roche.com/about/business/roche_worldwide.htm"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2018-18565",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Improper access control allows attackers in the adjacent network to change the instrument configuration. CVE-2018-18565 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H).. Affected products:CVE-2018-18565 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18565"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For non-connected devices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For further information or concerns, please contact a local Roche Diagnostics office at the following location:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "https://www.roche.com/about/business/roche_worldwide.htm",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ],
          "url": "https://www.roche.com/about/business/roche_worldwide.htm"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008"
          ]
        }
      ]
    }
  ]
}

VAR-201811-0059

Vulnerability from variot - Updated: 2023-12-18 12:43

An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface. plural Roche The product contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RocheAccu-ChekInformIIBaseUnit/BaseUnitHub and CoaguChek/cobash232HandheldBaseUnit are hand-held blood test medical devices from Roche, Switzerland. An authorization issue vulnerability exists in versions prior to RocheAccu-ChekInformIIBaseUnit/BaseUnitHub03.01.04 and prior to CoaguChek/cobash232HandheldBaseUnit03.01.04. An attacker could exploit this vulnerability to execute arbitrary commands on the operating system. Multiple Roche Point of Care Handheld Medical Services are prone to the following security vulnerabilities: 1. An authentication bypass vulnerability 2. An OS command-injection vulnerability 3. An arbitrary file-upload vulnerability 4. A remote code-execution vulnerability 5

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201811-0059",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "cobas h 232",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "coaguchek",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "base unit hub",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "accu-chek inform ii",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "accu-chek inform ii",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "roche diagnostics",
        "version": "03.01.04"
      },
      {
        "model": "base unit hub",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "roche diagnostics",
        "version": "03.01.04"
      },
      {
        "model": "coaguchek",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "roche diagnostics",
        "version": "03.01.04"
      },
      {
        "model": "cobas h 232",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "roche diagnostics",
        "version": "03.01.04"
      },
      {
        "model": "accu-chek inform ii base unit/base unit hub",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "coaguchek/cobas h232 handheld base unit",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "roche",
        "version": "03.01.04"
      },
      {
        "model": "cobas h",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "2320"
      },
      {
        "model": "coaguchek xs pro",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "0"
      },
      {
        "model": "coaguchek xs plus",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "0"
      },
      {
        "model": "coaguchek pro ii",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "0"
      },
      {
        "model": "coaguchek",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "0"
      },
      {
        "model": "accu-chek inform ii instrument",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "roche",
        "version": "0"
      },
      {
        "model": "cobas h",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "2324.0.4"
      },
      {
        "model": "cobas h",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "2323.1.4"
      },
      {
        "model": "cobas h",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "2323.1.3"
      },
      {
        "model": "coaguchek xs pro",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "3.1.6"
      },
      {
        "model": "coaguchek xs plus",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "3.1.6"
      },
      {
        "model": "coaguchek pro ii",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "4.3"
      },
      {
        "model": "coaguchek",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "3.1.4"
      },
      {
        "model": "accu-chek inform ii instrument",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "roche",
        "version": "3.6"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "accu chek inform ii",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "cobas h 232",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "coaguchek",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "base unit hub",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "BID",
        "id": "105843"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:accu-chek_inform_ii_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:accu-chek_inform_ii:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:cobas_h_232_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:cobas_h_232:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:coaguchek_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:coaguchek:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:base_unit_hub_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:base_unit_hub:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Niv Yehezkel of Medigate",
    "sources": [
      {
        "db": "BID",
        "id": "105843"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2018-18562",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.5,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 3.3,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2018-18562",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.5,
            "id": "CNVD-2019-08983",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "LOW",
            "trust": 0.6,
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.5,
            "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "LOW",
            "trust": 0.2,
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-18562",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-18562",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-08983",
            "trust": 0.6,
            "value": "LOW"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201811-115",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e",
            "trust": 0.2,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface. plural Roche The product contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RocheAccu-ChekInformIIBaseUnit/BaseUnitHub and CoaguChek/cobash232HandheldBaseUnit are hand-held blood test medical devices from Roche, Switzerland. An authorization issue vulnerability exists in versions prior to RocheAccu-ChekInformIIBaseUnit/BaseUnitHub03.01.04 and prior to CoaguChek/cobash232HandheldBaseUnit03.01.04. An attacker could exploit this vulnerability to execute arbitrary commands on the operating system. Multiple Roche Point of Care Handheld Medical Services are prone to the following security vulnerabilities:\n1. An authentication bypass vulnerability\n2. An OS command-injection vulnerability\n3. An arbitrary file-upload vulnerability\n4. A remote code-execution vulnerability\n5",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "BID",
        "id": "105843"
      },
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-18562",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-18-310-01",
        "trust": 3.3
      },
      {
        "db": "BID",
        "id": "105843",
        "trust": 1.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "388AC3A5-5C09-40C4-9636-9F7B015CEB2E",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "BID",
        "id": "105843"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "id": "VAR-201811-0059",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      }
    ],
    "trust": 1.6163265328571428
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      },
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:43:46.102000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://diagnostics.roche.com/us/en/home.html"
      },
      {
        "title": "Roche Accu-Chek Inform II Base Unit/Base Unit Hub  and CoaguChek/cobas h232 Handheld Base Unit Remediation measures for authorization problem vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=100317"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-521",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-255",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.3,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-18-310-01"
      },
      {
        "trust": 1.6,
        "url": "http://www.securityfocus.com/bid/105843"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18562"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18562"
      },
      {
        "trust": 0.3,
        "url": "https://www.roche.com/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "BID",
        "id": "105843"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "db": "BID",
        "id": "105843"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-04-03T00:00:00",
        "db": "IVD",
        "id": "388ac3a5-5c09-40c4-9636-9f7b015ceb2e"
      },
      {
        "date": "2019-04-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "date": "2018-11-06T00:00:00",
        "db": "BID",
        "id": "105843"
      },
      {
        "date": "2019-02-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "date": "2018-11-20T19:29:00.793000",
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "date": "2018-11-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-04-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-08983"
      },
      {
        "date": "2018-11-06T00:00:00",
        "db": "BID",
        "id": "105843"
      },
      {
        "date": "2019-02-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      },
      {
        "date": "2019-10-03T00:03:26.223000",
        "db": "NVD",
        "id": "CVE-2018-18562"
      },
      {
        "date": "2019-10-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote or local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  Roche Vulnerabilities related to certificate and password management in products",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-012879"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201811-115"
      }
    ],
    "trust": 0.6
  }
}

GSD-2018-18562

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-18562

Aliases

CVE-2018-18562

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-18562",
    "description": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.",
    "id": "GSD-2018-18562"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-18562"
      ],
      "details": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.",
      "id": "GSD-2018-18562",
      "modified": "2023-12-13T01:22:36.431232Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-18562",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01"
          },
          {
            "name": "105843",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/105843"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:accu-chek_inform_ii_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:accu-chek_inform_ii:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:cobas_h_232_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:cobas_h_232:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:coaguchek_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:coaguchek:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:roche:base_unit_hub_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "03.01.04",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:roche:base_unit_hub:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-18562"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-521"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01"
            },
            {
              "name": "105843",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/105843"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.5,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2018-11-20T19:29Z"
    }
  }
}

GHSA-P7QG-FF7V-PQ67

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-18562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-521"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-20T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.",
  "id": "GHSA-p7qg-ff7v-pq67",
  "modified": "2022-05-13T01:50:42Z",
  "published": "2022-05-13T01:50:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18562"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105843"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2018-18562

Vulnerability from fkie_nvd - Published: 2018-11-20 19:29 - Updated: 2024-11-21 03:56

Severity ?

8.8 (High) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.securityfocus.com/bid/105843	Third Party Advisory, VDB Entry
cve@mitre.org	https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/105843	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01	Mitigation, Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
roche	accu-chek_inform_ii_firmware	*
roche	accu-chek_inform_ii	-
roche	cobas_h_232_firmware	*
roche	cobas_h_232	-
roche	coaguchek_firmware	*
roche	coaguchek	-
roche	base_unit_hub_firmware	*
roche	base_unit_hub	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:roche:accu-chek_inform_ii_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "56005279-FD83-4A6D-981D-A059DFEF41F4",
              "versionEndExcluding": "03.01.04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:roche:accu-chek_inform_ii:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A997E9CB-50C6-4363-AC6C-F03050FE2CFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:roche:cobas_h_232_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1625F19F-19D6-4B8E-9A55-01FAC88DD21D",
              "versionEndExcluding": "03.01.04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:roche:cobas_h_232:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "32562950-3817-40E3-B252-1288ED9A375F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:roche:coaguchek_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2146545-D1CD-4C50-A093-BE80FD68858B",
              "versionEndExcluding": "03.01.04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:roche:coaguchek:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "429AC051-0E68-4581-9552-CE8D9C674DE0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:roche:base_unit_hub_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "267D4C46-8031-49B4-BB5A-9A976D8B7997",
              "versionEndExcluding": "03.01.04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:roche:base_unit_hub:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFF80986-8DCB-4310-A3B7-AB31FD6BB36D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en Roche Accu-Chek Inform II Base Unit / Base Unit Hub en versiones anteriores a la 03.01.04 y CoaguChek / cobas h232 Handheld Base Unit en versiones anteriores a la 03.01.04. Las credenciales de acceso d\u00e9biles podr\u00edan permitir que los atacantes en la red adyacente obtengan acceso no autorizado al servicio mediante una interfaz del servicio."
    }
  ],
  "id": "CVE-2018-18562",
  "lastModified": "2024-11-21T03:56:09.663",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-11-20T19:29:00.793",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105843"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/105843"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-521"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-18562 (GCVE-0-2018-18562)

CNVD-2019-08983

ICSMA-18-310-01

VAR-201811-0059

GSD-2018-18562

GHSA-P7QG-FF7V-PQ67

FKIE_CVE-2018-18562

Tags

Sightings

Nomenclature