cnvd - cnvd-2020-49567

CNVD-2020-49567

Vulnerability from cnvd - Published: 2020-08-31

Title

Philips SureSigns VS4授权问题漏洞

Description

Philips SureSigns VS4是一款生命体征监测仪，用于监测患者的生理参数。 Philips SureSigns VS4 A.07.107及更早版本存在授权问题漏洞，该漏洞源于该产品未能正确验证用户所称的身份，目前没有详细的漏洞细节提供。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.usa.philips.com/healthcare/product/HC863283/suresigns-vs4-vital-signs-monitor

Reference

https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01

Impacted products

Name
Philips SureSigns VS4 <=A.07.107

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-16239",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-16239"
    }
  },
  "description": "Philips SureSigns VS4\u662f\u4e00\u6b3e\u751f\u547d\u4f53\u5f81\u76d1\u6d4b\u4eea\uff0c\u7528\u4e8e\u76d1\u6d4b\u60a3\u8005\u7684\u751f\u7406\u53c2\u6570\u3002\n\nPhilips SureSigns VS4 A.07.107\u53ca\u66f4\u65e9\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8be5\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u6240\u79f0\u7684\u8eab\u4efd\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.usa.philips.com/healthcare/product/HC863283/suresigns-vs4-vital-signs-monitor",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49567",
  "openTime": "2020-08-31",
  "products": {
    "product": "Philips SureSigns VS4 \u003c=A.07.107"
  },
  "referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-21",
  "title": "Philips SureSigns VS4\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2020-16239 (GCVE-0-2020-16239)

Vulnerability from cvelistv5 – Published: 2020-08-21 12:18 – Updated: 2025-06-04 21:37

Title

Philips SureSigns VS4 Improper Authentication

Summary

When an actor claims to have a given identity, Philips SureSigns VS4, A.07.107 and prior does not prove or insufficiently proves the claim is correct.

Severity ?

4.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-287

Assigner

icscert

References

URL

Tags

	https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01	x_refsource_MISC
	https://www.philips.com/a-w/security/security-adv…

Impacted products

	Vendor	Product	Version
	Philips	SureSigns VS4	Affected: 0 , < A.07.107 (custom)

Credits

Cleveland Clinic reported these vulnerabilities to Philips.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:37:54.199Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SureSigns VS4",
          "vendor": "Philips",
          "versions": [
            {
              "lessThan": "A.07.107",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cleveland Clinic reported these vulnerabilities to Philips."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\nWhen an actor claims to have a given identity, \n\nPhilips SureSigns VS4, A.07.107 and prior \ndoes not prove or insufficiently proves the claim is correct.\n\n\u003c/p\u003e"
            }
          ],
          "value": "When an actor claims to have a given identity, \n\nPhilips SureSigns VS4, A.07.107 and prior \ndoes not prove or insufficiently proves the claim is correct."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T21:37:16.919Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
        },
        {
          "url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
        }
      ],
      "source": {
        "advisory": "ICSMA-20-233-01",
        "discovery": "EXTERNAL"
      },
      "title": "Philips SureSigns VS4 Improper Authentication",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "As a mitigation to these vulnerabilities, Philips recommends users \nchange all system passwords on the SureSigns VS4 with unique passwords \nfor each device and secure the device when not in use to prevent \nunauthorized access, as referenced in the Installation and Configuration\n Guide available on Incenter. Philips also recommends users consider \nreplacing the SureSigns VS4 device with a newer technology.\u003cbr\u003e\u003cbr\u003e\nUsers with questions regarding specific SureSigns VS4 patient monitor installations and upgrade options should contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips service support or regional service support\u003c/a\u003e or call 1-800-722-9377.\u003cbr\u003e\u003cbr\u003e\nPlease see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\"\u003ePhilips advisory\u003c/a\u003e for vulnerabilities discussed in this disclosure, and visit the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e for the latest security information for Philips products.\n\n\u003cbr\u003e"
            }
          ],
          "value": "As a mitigation to these vulnerabilities, Philips recommends users \nchange all system passwords on the SureSigns VS4 with unique passwords \nfor each device and secure the device when not in use to prevent \nunauthorized access, as referenced in the Installation and Configuration\n Guide available on Incenter. Philips also recommends users consider \nreplacing the SureSigns VS4 device with a newer technology.\n\n\nUsers with questions regarding specific SureSigns VS4 patient monitor installations and upgrade options should contact  Philips service support or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions  or call 1-800-722-9377.\n\n\nPlease see the  Philips advisory http://www.philips.com/productsecurity  for vulnerabilities discussed in this disclosure, and visit the  Philips product security website https://www.philips.com/productsecurity  for the latest security information for Philips products."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-16237",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Philips SureSigns VS4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "A.07.107 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Philips SureSigns VS4, A.07.107 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER INPUT VALIDATION CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-16239",
    "datePublished": "2020-08-21T12:18:29",
    "dateReserved": "2020-07-31T00:00:00",
    "dateUpdated": "2025-06-04T21:37:16.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-49567

CVE-2020-16239 (GCVE-0-2020-16239)

Tags

Sightings

Nomenclature