cnvd - cnvd-2020-49568

CNVD-2020-49568

Vulnerability from cnvd - Published: 2020-08-31

Title

Philips SureSigns VS4访问控制错误漏洞

Description

Philips SureSigns VS4是一款生命体征监测仪，用于监测患者的生理参数。 Philips SureSigns VS4 A.07.107及更早版本存在访问控制错误漏洞。攻击者可利用该漏洞越权访问资源。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.usa.philips.com/healthcare/product/HC863283/suresigns-vs4-vital-signs-monitor

Reference

https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01

Impacted products

Name
Philips SureSigns VS4 <=A.07.107

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-16241",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-16241"
    }
  },
  "description": "Philips SureSigns VS4\u662f\u4e00\u6b3e\u751f\u547d\u4f53\u5f81\u76d1\u6d4b\u4eea\uff0c\u7528\u4e8e\u76d1\u6d4b\u60a3\u8005\u7684\u751f\u7406\u53c2\u6570\u3002\n\nPhilips SureSigns VS4 A.07.107\u53ca\u66f4\u65e9\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8d8a\u6743\u8bbf\u95ee\u8d44\u6e90\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.usa.philips.com/healthcare/product/HC863283/suresigns-vs4-vital-signs-monitor",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49568",
  "openTime": "2020-08-31",
  "products": {
    "product": "Philips SureSigns VS4 \u003c=A.07.107"
  },
  "referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01",
  "serverity": "\u4f4e",
  "submitTime": "2020-08-21",
  "title": "Philips SureSigns VS4\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2020-16241 (GCVE-0-2020-16241)

Vulnerability from cvelistv5 – Published: 2020-08-21 12:15 – Updated: 2025-06-04 21:34

Title

Philips SureSigns VS4 Improper Access Control

Summary

Philips SureSigns VS4, A.07.107 and prior does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

CWE

CWE-284

Assigner

icscert

References

URL

Tags

	https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01	x_refsource_MISC
	https://www.philips.com/a-w/security/security-adv…

Impacted products

	Vendor	Product	Version
	Philips	SureSigns VS4	Affected: 0 , < A.07.107 (custom)

Credits

Cleveland Clinic reported these vulnerabilities to Philips.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:37:54.195Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SureSigns VS4",
          "vendor": "Philips",
          "versions": [
            {
              "lessThan": "A.07.107",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cleveland Clinic reported these vulnerabilities to Philips."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePhilips SureSigns VS4, A.07.107 and prior \ndoes not restrict or incorrectly restricts access to a resource from an unauthorized actor.\n\n\u003c/p\u003e"
            }
          ],
          "value": "Philips SureSigns VS4, A.07.107 and prior \ndoes not restrict or incorrectly restricts access to a resource from an unauthorized actor."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T21:34:45.706Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
        },
        {
          "url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
        }
      ],
      "source": {
        "advisory": "ICSMA-20-233-01",
        "discovery": "EXTERNAL"
      },
      "title": "Philips SureSigns VS4 Improper Access Control",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "As a mitigation to these vulnerabilities, Philips recommends users \nchange all system passwords on the SureSigns VS4 with unique passwords \nfor each device and secure the device when not in use to prevent \nunauthorized access, as referenced in the Installation and Configuration\n Guide available on Incenter. Philips also recommends users consider \nreplacing the SureSigns VS4 device with a newer technology.\u003cbr\u003e\u003cbr\u003e\nUsers with questions regarding specific SureSigns VS4 patient monitor installations and upgrade options should contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips service support or regional service support\u003c/a\u003e or call 1-800-722-9377.\u003cbr\u003e\u003cbr\u003e\nPlease see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\"\u003ePhilips advisory\u003c/a\u003e for vulnerabilities discussed in this disclosure, and visit the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e for the latest security information for Philips products.\n\n\u003cbr\u003e"
            }
          ],
          "value": "As a mitigation to these vulnerabilities, Philips recommends users \nchange all system passwords on the SureSigns VS4 with unique passwords \nfor each device and secure the device when not in use to prevent \nunauthorized access, as referenced in the Installation and Configuration\n Guide available on Incenter. Philips also recommends users consider \nreplacing the SureSigns VS4 device with a newer technology.\n\n\nUsers with questions regarding specific SureSigns VS4 patient monitor installations and upgrade options should contact  Philips service support or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions  or call 1-800-722-9377.\n\n\nPlease see the  Philips advisory http://www.philips.com/productsecurity  for vulnerabilities discussed in this disclosure, and visit the  Philips product security website https://www.philips.com/productsecurity  for the latest security information for Philips products."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-16237",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Philips SureSigns VS4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "A.07.107 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Philips SureSigns VS4, A.07.107 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER INPUT VALIDATION CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-16241",
    "datePublished": "2020-08-21T12:15:31",
    "dateReserved": "2020-07-31T00:00:00",
    "dateUpdated": "2025-06-04T21:34:45.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-49568

CVE-2020-16241 (GCVE-0-2020-16241)

Tags

Sightings

Nomenclature