cnvd - cnvd-2017-23899

CNVD-2017-23899

Vulnerability from cnvd - Published: 2017-08-30

Title

Abbott Laboratories多款起搏器产品错误加密敏感数据漏洞

Description

Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室（Abbott Laboratories）的植入式医疗设备。 Abbott Laboratories多款起搏器产品存在错误加密敏感数据漏洞，Accent和Anthem起搏器通过RF通信将未加密的患者信息传送给程序员和家庭监控单元。

Severity

低

Patch Name

Abbott Laboratories多款起搏器产品错误加密敏感数据漏洞的补丁

Patch Description

Formal description

用户可联系供应商获得补丁信息： https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01

Impacted products

Name
['Abbott Laboratories Accent <August 28，2017', 'Abbott Laboratories Anthem <August 28，2017', 'Abbott Laboratories Accent MRI <August 28，2017', 'Abbott Laboratories Assurity MRI <August 28，2017']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12716"
    }
  },
  "description": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u9519\u8bef\u52a0\u5bc6\u654f\u611f\u6570\u636e\u6f0f\u6d1e\uff0cAccent\u548cAnthem\u8d77\u640f\u5668\u901a\u8fc7RF\u901a\u4fe1\u5c06\u672a\u52a0\u5bc6\u7684\u60a3\u8005\u4fe1\u606f\u4f20\u9001\u7ed9\u7a0b\u5e8f\u5458\u548c\u5bb6\u5ead\u76d1\u63a7\u5355\u5143\u3002",
  "discovererName": "unknow",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-23899",
  "openTime": "2017-08-30",
  "patchDescription": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u9519\u8bef\u52a0\u5bc6\u654f\u611f\u6570\u636e\u6f0f\u6d1e\uff0cAccent\u548cAnthem\u8d77\u640f\u5668\u901a\u8fc7RF\u901a\u4fe1\u5c06\u672a\u52a0\u5bc6\u7684\u60a3\u8005\u4fe1\u606f\u4f20\u9001\u7ed9\u7a0b\u5e8f\u5458\u548c\u5bb6\u5ead\u76d1\u63a7\u5355\u5143\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u9519\u8bef\u52a0\u5bc6\u654f\u611f\u6570\u636e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Abbott Laboratories Accent \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Anthem \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Accent MRI \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Assurity MRI \u003cAugust 28\uff0c2017"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
  "serverity": "\u4f4e",
  "submitTime": "2017-08-30",
  "title": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u9519\u8bef\u52a0\u5bc6\u654f\u611f\u6570\u636e\u6f0f\u6d1e"
}

CVE-2017-12716 (GCVE-0-2017-12716)

Vulnerability from cvelistv5 – Published: 2018-04-25 13:00 – Updated: 2024-09-17 01:55

Summary

Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.

Severity ?

No CVSS data available.

CWE

CWE-311 - Missing encryption of sensitive data CWE-311

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01	x_refsource_MISC
	http://www.securityfocus.com/bid/100523	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Abbott Laboratories	Accent and Anthem	Affected: All versions of pacemakers manufactured prior to August 28, 2017

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.589Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
          },
          {
            "name": "100523",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100523"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accent and Anthem",
          "vendor": "Abbott Laboratories",
          "versions": [
            {
              "status": "affected",
              "version": "All versions of pacemakers manufactured prior to August 28, 2017"
            }
          ]
        }
      ],
      "datePublic": "2017-08-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "Missing encryption of sensitive data CWE-311",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-26T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
        },
        {
          "name": "100523",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100523"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2017-08-29T00:00:00",
          "ID": "CVE-2017-12716",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accent and Anthem",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Abbott Laboratories"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing encryption of sensitive data CWE-311"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
            },
            {
              "name": "100523",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100523"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-12716",
    "datePublished": "2018-04-25T13:00:00Z",
    "dateReserved": "2017-08-09T00:00:00",
    "dateUpdated": "2024-09-17T01:55:36.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-23899

CVE-2017-12716 (GCVE-0-2017-12716)

Tags

Sightings

Nomenclature