cvelistv5 - cve-2017-9657

CVE-2017-9657 (GCVE-0-2017-9657)

Vulnerability from cvelistv5 – Published: 2018-04-30 15:00 – Updated: 2024-09-16 16:13

Summary

Severity ?

No CVSS data available.

CWE

CWE-460 - Improper cleanup on thrown exception CWE-460

Assigner

icscert

References

URL

Tags

	https://www.usa.philips.com/healthcare/about/cust…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/100813	vdb-entryx_refsource_BID
	https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Philips	IntelliVue MX40 Patient Worn Monitor	Affected: IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:18:01.347Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
          },
          {
            "name": "100813",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100813"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "IntelliVue MX40 Patient Worn Monitor",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18"
            }
          ]
        }
      ],
      "datePublic": "2017-09-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-460",
              "description": "Improper cleanup on thrown exception CWE-460",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-01T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
        },
        {
          "name": "100813",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100813"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2017-09-12T00:00:00",
          "ID": "CVE-2017-9657",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "IntelliVue MX40 Patient Worn Monitor",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Philips"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper cleanup on thrown exception CWE-460"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security",
              "refsource": "CONFIRM",
              "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
            },
            {
              "name": "100813",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100813"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-9657",
    "datePublished": "2018-04-30T15:00:00Z",
    "dateReserved": "2017-06-14T00:00:00",
    "dateUpdated": "2024-09-16T16:13:21.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"b.06.18\", \"matchCriteriaId\": \"493FB2C6-0962-4E8E-BB55-BB02072BEA3B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"71C26579-482B-4B19-8C5E-71A26A059894\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.\"}, {\"lang\": \"es\", \"value\": \"Bajo condiciones especiales de la red 802.11, es posible realizar una reasociaci\\u00f3n parcial del monitor WLAN Philips IntelliVue MX40 B.06.18 con la estaci\\u00f3n central de monitorizaci\\u00f3n. En este estado, la estaci\\u00f3n central de monitorizaci\\u00f3n puede indicar que el MX40 no est\\u00e1 conectado o asociado al monitor central y, por lo tanto, deber\\u00eda estar funcionando en modo de monitorizaci\\u00f3n local (local audio-on, screen-on), pero el propio MX40 WLAN podr\\u00eda seguir funcionando en modo telemetr\\u00eda (local audio-off, screen-off). Si un paciente experimenta un evento de alarma y el personal cl\\u00ednico espera que MX40 proporcione una alarma local cuando no est\\u00e1 disponible desde el dispositivo local, el tratamiento podr\\u00eda demorarse. Puntuaci\\u00f3n base de CVSS v3: 6.5, cadena de vector CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips ha lanzado una actualizaci\\u00f3n de software, la versi\\u00f3n B.06.18, para solucionar la vulnerabilidad de limpieza indebida de excepci\\u00f3n lanzada. Adem\\u00e1s, tambi\\u00e9n ha implementado mitigaciones para reducir el riesgo asociado con la vulnerabilidad de gesti\\u00f3n incorrecta de condiciones excepcionales. La actualizaci\\u00f3n de software implementa mensajes y alarmas en el MX40 y en la estaci\\u00f3n central de monitorizaci\\u00f3n cuando el MX40 se desconecta del punto de acceso.\"}]",
      "id": "CVE-2017-9657",
      "lastModified": "2024-11-21T03:36:35.823",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 3.3, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.5, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-04-30T15:29:00.163",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/100813\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.usa.philips.com/healthcare/about/customer-support/product-security\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/100813\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.usa.philips.com/healthcare/about/customer-support/product-security\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-460\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-755\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-9657\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-04-30T15:29:00.163\",\"lastModified\":\"2024-11-21T03:36:35.823\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.\"},{\"lang\":\"es\",\"value\":\"Bajo condiciones especiales de la red 802.11, es posible realizar una reasociaci\u00f3n parcial del monitor WLAN Philips IntelliVue MX40 B.06.18 con la estaci\u00f3n central de monitorizaci\u00f3n. En este estado, la estaci\u00f3n central de monitorizaci\u00f3n puede indicar que el MX40 no est\u00e1 conectado o asociado al monitor central y, por lo tanto, deber\u00eda estar funcionando en modo de monitorizaci\u00f3n local (local audio-on, screen-on), pero el propio MX40 WLAN podr\u00eda seguir funcionando en modo telemetr\u00eda (local audio-off, screen-off). Si un paciente experimenta un evento de alarma y el personal cl\u00ednico espera que MX40 proporcione una alarma local cuando no est\u00e1 disponible desde el dispositivo local, el tratamiento podr\u00eda demorarse. Puntuaci\u00f3n base de CVSS v3: 6.5, cadena de vector CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips ha lanzado una actualizaci\u00f3n de software, la versi\u00f3n B.06.18, para solucionar la vulnerabilidad de limpieza indebida de excepci\u00f3n lanzada. Adem\u00e1s, tambi\u00e9n ha implementado mitigaciones para reducir el riesgo asociado con la vulnerabilidad de gesti\u00f3n incorrecta de condiciones excepcionales. La actualizaci\u00f3n de software implementa mensajes y alarmas en el MX40 y en la estaci\u00f3n central de monitorizaci\u00f3n cuando el MX40 se desconecta del punto de acceso.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":3.3,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.5,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-460\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"b.06.18\",\"matchCriteriaId\":\"493FB2C6-0962-4E8E-BB55-BB02072BEA3B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"71C26579-482B-4B19-8C5E-71A26A059894\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100813\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.usa.philips.com/healthcare/about/customer-support/product-security\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100813\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.usa.philips.com/healthcare/about/customer-support/product-security\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2017-26428

Vulnerability from cnvd - Published: 2017-09-13

Title

Philips' IntelliView MX40 Patient Worn Monitor存在未明漏洞

Description

MX40 Patient Worn Monitor主要用作传统的遥测医疗设备，作为监视和警报系统的一部分。在特定的802.11网络条件下，可以将MX40 WLAN监视器部分重新关联到中央监控站。在这种状态下，中央监控站可以指示MX40没有连接或与中央监控器相关联，因此MX40 WLAN本应在本地监控模式运行，却依然在遥测模式中运行。如果患者遇到警报事件，临床工作人员预计MX40在本地设备无法提供本地警报时，可能会发生延迟治疗。

Severity

中

Patch Name

Philips' IntelliView MX40 Patient Worn Monitor存在未明漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01

Impacted products

Name
Philips IntelliVue MX40 Patient Worn Monitor (WLAN） <B.06.18

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9657"
    }
  },
  "description": "MX40 Patient Worn Monitor\u4e3b\u8981\u7528\u4f5c\u4f20\u7edf\u7684\u9065\u6d4b\u533b\u7597\u8bbe\u5907\uff0c\u4f5c\u4e3a\u76d1\u89c6\u548c\u8b66\u62a5\u7cfb\u7edf\u7684\u4e00\u90e8\u5206\u3002\r\n\r\n\u5728\u7279\u5b9a\u7684802.11\u7f51\u7edc\u6761\u4ef6\u4e0b\uff0c\u53ef\u4ee5\u5c06MX40 WLAN\u76d1\u89c6\u5668\u90e8\u5206\u91cd\u65b0\u5173\u8054\u5230\u4e2d\u592e\u76d1\u63a7\u7ad9\u3002\u5728\u8fd9\u79cd\u72b6\u6001\u4e0b\uff0c\u4e2d\u592e\u76d1\u63a7\u7ad9\u53ef\u4ee5\u6307\u793aMX40\u6ca1\u6709\u8fde\u63a5\u6216\u4e0e\u4e2d\u592e\u76d1\u63a7\u5668\u76f8\u5173\u8054\uff0c\u56e0\u6b64MX40 WLAN\u672c\u5e94\u5728\u672c\u5730\u76d1\u63a7\u6a21\u5f0f\u8fd0\u884c\uff0c\u5374\u4f9d\u7136\u5728\u9065\u6d4b\u6a21\u5f0f\u4e2d\u8fd0\u884c\u3002\u5982\u679c\u60a3\u8005\u9047\u5230\u8b66\u62a5\u4e8b\u4ef6\uff0c\u4e34\u5e8a\u5de5\u4f5c\u4eba\u5458\u9884\u8ba1MX40\u5728\u672c\u5730\u8bbe\u5907\u65e0\u6cd5\u63d0\u4f9b\u672c\u5730\u8b66\u62a5\u65f6\uff0c\u53ef\u80fd\u4f1a\u53d1\u751f\u5ef6\u8fdf\u6cbb\u7597\u3002",
  "discovererName": "unknow",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a \r\nhttp://www.usa.philips.com/healthcare/solutions/customer-service-solutions",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-26428",
  "openTime": "2017-09-13",
  "patchDescription": "MX40 Patient Worn Monitor\u4e3b\u8981\u7528\u4f5c\u4f20\u7edf\u7684\u9065\u6d4b\u533b\u7597\u8bbe\u5907\uff0c\u4f5c\u4e3a\u76d1\u89c6\u548c\u8b66\u62a5\u7cfb\u7edf\u7684\u4e00\u90e8\u5206\u3002\r\n\r\n\u5728\u7279\u5b9a\u7684802.11\u7f51\u7edc\u6761\u4ef6\u4e0b\uff0c\u53ef\u4ee5\u5c06MX40 WLAN\u76d1\u89c6\u5668\u90e8\u5206\u91cd\u65b0\u5173\u8054\u5230\u4e2d\u592e\u76d1\u63a7\u7ad9\u3002\u5728\u8fd9\u79cd\u72b6\u6001\u4e0b\uff0c\u4e2d\u592e\u76d1\u63a7\u7ad9\u53ef\u4ee5\u6307\u793aMX40\u6ca1\u6709\u8fde\u63a5\u6216\u4e0e\u4e2d\u592e\u76d1\u63a7\u5668\u76f8\u5173\u8054\uff0c\u56e0\u6b64MX40 WLAN\u672c\u5e94\u5728\u672c\u5730\u76d1\u63a7\u6a21\u5f0f\u8fd0\u884c\uff0c\u5374\u4f9d\u7136\u5728\u9065\u6d4b\u6a21\u5f0f\u4e2d\u8fd0\u884c\u3002\u5982\u679c\u60a3\u8005\u9047\u5230\u8b66\u62a5\u4e8b\u4ef6\uff0c\u4e34\u5e8a\u5de5\u4f5c\u4eba\u5458\u9884\u8ba1MX40\u5728\u672c\u5730\u8bbe\u5907\u65e0\u6cd5\u63d0\u4f9b\u672c\u5730\u8b66\u62a5\u65f6\uff0c\u53ef\u80fd\u4f1a\u53d1\u751f\u5ef6\u8fdf\u6cbb\u7597\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Philips\u0027 IntelliView MX40 Patient Worn Monitor\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Philips IntelliVue MX40 Patient Worn Monitor (WLAN\uff09 \u003cB.06.18"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-13",
  "title": "Philips\u0027 IntelliView MX40 Patient Worn Monitor\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

GSD-2017-9657

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-9657

Aliases

CVE-2017-9657

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-9657",
    "description": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.",
    "id": "GSD-2017-9657"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-9657"
      ],
      "details": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.",
      "id": "GSD-2017-9657",
      "modified": "2023-12-13T01:21:08.207846Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2017-09-12T00:00:00",
        "ID": "CVE-2017-9657",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "IntelliVue MX40 Patient Worn Monitor",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Philips"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Improper cleanup on thrown exception CWE-460"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security",
            "refsource": "CONFIRM",
            "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
          },
          {
            "name": "100813",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100813"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "b.06.18",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-9657"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-755"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
            },
            {
              "name": "100813",
              "refsource": "BID",
              "tags": [
                "VDB Entry",
                "Third Party Advisory"
              ],
              "url": "http://www.securityfocus.com/bid/100813"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 6.5,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:30Z",
      "publishedDate": "2018-04-30T15:29Z"
    }
  }
}

VAR-201804-0780

Vulnerability from variot - Updated: 2023-12-18 13:08

Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point. Philips IntelliVue MX40 Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The MX40 Patient Worn Monitor is primarily used as a traditional telemetry medical device as part of a surveillance and alarm system. Philips IntelliView MX40 Patient Worn Monitor is prone to multiple denial-of-service vulnerabilities. Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions. Versions prior to Philips IntelliView MX40 Patient Worn Monitor B.06.18 are vulnerable

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201804-0780",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "intellivue mx40",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "philips",
        "version": "b.06.18"
      },
      {
        "model": "intellivue mx40",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "philips",
        "version": "b.06.18"
      },
      {
        "model": "intellivue mx40 patient worn monitor \u003cb.06.18",
        "scope": null,
        "trust": 0.6,
        "vendor": "philips",
        "version": null
      },
      {
        "model": "intelliview mx40 patient worn monitor",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "philips",
        "version": "0"
      },
      {
        "model": "intelliview mx40 patient worn monitor b.06.18",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "philips",
        "version": null
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "intellivue mx40",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "BID",
        "id": "100813"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "b.06.18",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The vendor has reported the issue.",
    "sources": [
      {
        "db": "BID",
        "id": "100813"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2017-9657",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.5,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Adjacent Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 3.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-9657",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 6.1,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.5,
            "id": "CNVD-2017-26428",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 6.1,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.5,
            "id": "45eefca3-087c-45ad-b591-845fcd17fed1",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 2.8,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 6.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-9657",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-9657",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-26428",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201706-580",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "IVD",
            "id": "45eefca3-087c-45ad-b591-845fcd17fed1",
            "trust": 0.2,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point. Philips IntelliVue MX40 Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The MX40 Patient Worn Monitor is primarily used as a traditional telemetry medical device as part of a surveillance and alarm system. Philips IntelliView MX40 Patient Worn Monitor  is prone to multiple denial-of-service vulnerabilities. \nSuccessful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions. \nVersions prior to Philips IntelliView MX40 Patient Worn Monitor B.06.18 are vulnerable",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "BID",
        "id": "100813"
      },
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-9657",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-17-255-01",
        "trust": 3.3
      },
      {
        "db": "BID",
        "id": "100813",
        "trust": 1.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "45EEFCA3-087C-45AD-B591-845FCD17FED1",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "BID",
        "id": "100813"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "id": "VAR-201804-0780",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      }
    ],
    "trust": 1.6333333
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:08:31.240000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Philips IntelliVue MX40 WLAN Patient Wearable Monitor Vulnerabilities (11-SEP-2017)",
        "trust": 0.8,
        "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
      },
      {
        "title": "Philips\u0027 IntelliView MX40 Patient Worn Monitor has an unexplained patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/102127"
      },
      {
        "title": "Philips IntelliVue MX40 Patient Worn Monitor Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=99852"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-755",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-19",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.3,
        "url": "https://ics-cert.us-cert.gov/advisories/icsma-17-255-01"
      },
      {
        "trust": 1.6,
        "url": "http://www.securityfocus.com/bid/100813"
      },
      {
        "trust": 1.6,
        "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9657"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-9657"
      },
      {
        "trust": 0.3,
        "url": "http://www.usa.philips.com/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "BID",
        "id": "100813"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "db": "BID",
        "id": "100813"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-13T00:00:00",
        "db": "IVD",
        "id": "45eefca3-087c-45ad-b591-845fcd17fed1"
      },
      {
        "date": "2017-09-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "date": "2017-09-12T00:00:00",
        "db": "BID",
        "id": "100813"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "date": "2018-04-30T15:29:00.163000",
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "date": "2017-09-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-26428"
      },
      {
        "date": "2017-09-12T00:00:00",
        "db": "BID",
        "id": "100813"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      },
      {
        "date": "2019-10-09T23:30:47.063000",
        "db": "NVD",
        "id": "CVE-2017-9657"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote or local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Philips IntelliVue MX40 Data processing vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-013369"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201706-580"
      }
    ],
    "trust": 0.6
  }
}

GHSA-32RC-PV7X-94GG

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-9657"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-30T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.",
  "id": "GHSA-32rc-pv7x-94gg",
  "modified": "2022-05-13T01:36:04Z",
  "published": "2022-05-13T01:36:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9657"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100813"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ICSMA-17-255-01

Vulnerability from csaf_cisa - Published: 2017-09-12 00:00 - Updated: 2017-09-12 00:00

Summary

ICSMA-17-255-01_Philips' IntelliView MX40 Patient Worn Monitor (WLAN) Vulnerabilities

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-255-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-255-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-17-255-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-255-01"
      }
    ],
    "title": "ICSMA-17-255-01_Philips\u0027 IntelliView MX40 Patient Worn Monitor (WLAN) Vulnerabilities",
    "tracking": {
      "current_release_date": "2017-09-12T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSMA-17-255-01",
      "initial_release_date": "2017-09-12T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-09-12T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-17-255-01 Philips\u0027 IntelliView MX40 Patient Worn Monitor (WLAN) Vulnerabilities"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c B.06.18",
                "product": {
                  "name": "IntelliVue MX40 Patient Worn Monitor (WLAN only): all versions prior to Version B.06.18",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "IntelliVue MX40 Patient Worn Monitor (WLAN only)"
          }
        ],
        "category": "vendor",
        "name": "Philips"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-9657",
      "cwe": {
        "id": "CWE-460",
        "name": "Improper Cleanup on Thrown Exception"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Under specific 802.11 network conditions, a partial re-association of the MX40 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-9657"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Philips is planning to release an additional MX40 software update in 2017 to address the improper handling of exceptional conditions vulnerability.  Please see the Philips product security web site for latest information for this and other Philips products:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2017-9658",
      "cwe": {
        "id": "CWE-755",
        "name": "Improper Handling of Exceptional Conditions"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Certain 802.11 network management messages have been determined to invoke wireless access point blacklisting security defenses when not required, which can necessitate intervention by hospital staff to reset the device and reestablish a network connection to the Wi-Fi access point. During this state, the MX40 can either connect to an alternative access point within signal range for association to a central monitoring station, or it can remain in local monitoring mode until the device is reset by hospital staff.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-9658"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Philips is planning to release an additional MX40 software update in 2017 to address the improper handling of exceptional conditions vulnerability.  Please see the Philips product security web site for latest information for this and other Philips products:",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

FKIE_CVE-2017-9657

Vulnerability from fkie_nvd - Published: 2018-04-30 15:29 - Updated: 2024-11-21 03:36

Severity ?

6.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/100813	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01	Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100813	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Vendor Advisory

Impacted products

	Vendor	Product	Version
	philips	intellivue_mx40_firmware	*
	philips	intellivue_mx40	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "493FB2C6-0962-4E8E-BB55-BB02072BEA3B",
              "versionEndExcluding": "b.06.18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "71C26579-482B-4B19-8C5E-71A26A059894",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."
    },
    {
      "lang": "es",
      "value": "Bajo condiciones especiales de la red 802.11, es posible realizar una reasociaci\u00f3n parcial del monitor WLAN Philips IntelliVue MX40 B.06.18 con la estaci\u00f3n central de monitorizaci\u00f3n. En este estado, la estaci\u00f3n central de monitorizaci\u00f3n puede indicar que el MX40 no est\u00e1 conectado o asociado al monitor central y, por lo tanto, deber\u00eda estar funcionando en modo de monitorizaci\u00f3n local (local audio-on, screen-on), pero el propio MX40 WLAN podr\u00eda seguir funcionando en modo telemetr\u00eda (local audio-off, screen-off). Si un paciente experimenta un evento de alarma y el personal cl\u00ednico espera que MX40 proporcione una alarma local cuando no est\u00e1 disponible desde el dispositivo local, el tratamiento podr\u00eda demorarse. Puntuaci\u00f3n base de CVSS v3: 6.5, cadena de vector CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips ha lanzado una actualizaci\u00f3n de software, la versi\u00f3n B.06.18, para solucionar la vulnerabilidad de limpieza indebida de excepci\u00f3n lanzada. Adem\u00e1s, tambi\u00e9n ha implementado mitigaciones para reducir el riesgo asociado con la vulnerabilidad de gesti\u00f3n incorrecta de condiciones excepcionales. La actualizaci\u00f3n de software implementa mensajes y alarmas en el MX40 y en la estaci\u00f3n central de monitorizaci\u00f3n cuando el MX40 se desconecta del punto de acceso."
    }
  ],
  "id": "CVE-2017-9657",
  "lastModified": "2024-11-21T03:36:35.823",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 3.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-30T15:29:00.163",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100813"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100813"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-460"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-9657 (GCVE-0-2017-9657)

CNVD-2017-26428

GSD-2017-9657

VAR-201804-0780

GHSA-32RC-PV7X-94GG

ICSMA-17-255-01

FKIE_CVE-2017-9657

Tags

Sightings

Nomenclature