cnvd - cnvd-2017-23901

CNVD-2017-23901

Vulnerability from cnvd - Published: 2017-08-30

Title

Abbott Laboratories多款起搏器产品未授权访问漏洞

Description

Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室（Abbott Laboratories）的植入式医疗设备。 Abbott Laboratories多款起搏器产品存在未授权访问漏洞，涉及身份验证密钥和时间戳的起搏器认证算法可能会受到损害或绕过，导致附近的攻击者通过RF通信向起搏器发出未经授权的命令。

Severity

中

Patch Name

Abbott Laboratories多款起搏器产品未授权访问漏洞的补丁

Patch Description

Formal description

用户可联系供应商获得补丁信息： https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01

Impacted products

Name
['Abbott Laboratories Accent <August 28，2017', 'Abbott Laboratories Anthem <August 28，2017', 'Abbott Laboratories Accent MRI <August 28，2017', 'Abbott Laboratories Assurity <August 28，2017', 'Abbott Laboratories Allure <August 28，2017', 'Abbott Laboratories Assurity MRI <August 28，2017']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12712"
    }
  },
  "description": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u6d89\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u7684\u8d77\u640f\u5668\u8ba4\u8bc1\u7b97\u6cd5\u53ef\u80fd\u4f1a\u53d7\u5230\u635f\u5bb3\u6216\u7ed5\u8fc7\uff0c\u5bfc\u81f4\u9644\u8fd1\u7684\u653b\u51fb\u8005\u901a\u8fc7RF\u901a\u4fe1\u5411\u8d77\u640f\u5668\u53d1\u51fa\u672a\u7ecf\u6388\u6743\u7684\u547d\u4ee4\u3002",
  "discovererName": "unknow",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-23901",
  "openTime": "2017-08-30",
  "patchDescription": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u6d89\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u7684\u8d77\u640f\u5668\u8ba4\u8bc1\u7b97\u6cd5\u53ef\u80fd\u4f1a\u53d7\u5230\u635f\u5bb3\u6216\u7ed5\u8fc7\uff0c\u5bfc\u81f4\u9644\u8fd1\u7684\u653b\u51fb\u8005\u901a\u8fc7RF\u901a\u4fe1\u5411\u8d77\u640f\u5668\u53d1\u51fa\u672a\u7ecf\u6388\u6743\u7684\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Abbott Laboratories Accent \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Anthem \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Accent MRI \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Assurity \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Allure \u003cAugust 28\uff0c2017",
      "Abbott Laboratories Assurity MRI \u003cAugust 28\uff0c2017"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
  "serverity": "\u4e2d",
  "submitTime": "2017-08-30",
  "title": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e"
}

CVE-2017-12712 (GCVE-0-2017-12712)

Vulnerability from cvelistv5 – Published: 2018-04-25 13:00 – Updated: 2024-09-17 03:48

Summary

The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.

Severity ?

No CVSS data available.

CWE

CWE-287 - Improper authentication CWE-287

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01	x_refsource_MISC
	http://www.securityfocus.com/bid/100523	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Abbott Laboratories	Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.	Affected: All versions of pacemakers manufactured prior to August 28, 2017

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.613Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
          },
          {
            "name": "100523",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100523"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
          "vendor": "Abbott Laboratories",
          "versions": [
            {
              "status": "affected",
              "version": "All versions of pacemakers manufactured prior to August 28, 2017"
            }
          ]
        }
      ],
      "datePublic": "2017-08-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "Improper authentication CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-26T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
        },
        {
          "name": "100523",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100523"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2017-08-29T00:00:00",
          "ID": "CVE-2017-12712",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Abbott Laboratories"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper authentication CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
            },
            {
              "name": "100523",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100523"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-12712",
    "datePublished": "2018-04-25T13:00:00Z",
    "dateReserved": "2017-08-09T00:00:00",
    "dateUpdated": "2024-09-17T03:48:37.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-23901

CVE-2017-12712 (GCVE-0-2017-12712)

Tags

Sightings

Nomenclature