Details of VAR-201804-0779

ID

VAR-201804-0779

CVE

CVE-2017-9656

TITLE

Philips DoseWise Portal Vulnerabilities related to the use of hard-coded credentials in applications

Trust: 0.8

sources: JVNDB: JVNDB-2017-013354

DESCRIPTION

The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. Philips DoseWise Portal The application contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips' DoseWise Portal is a web-based reporting and radiation exposure tracking tool. There is a hard-coded vulnerability in Philips' DoseWise Portal. Attackers can exploit this issue to obtain sensitive information or bypass the authentication mechanism and gain unauthorized access to the device. DoseWise Portal 1.1.7.333 and 2.1.1.3069 are vulnerable. The platform is used to record, track and analyze radiation exposure to patients and physicians

Trust: 2.7

sources: NVD: CVE-2017-9656 // JVNDB: JVNDB-2017-013354 // CNVD: CNVD-2017-22813 // BID: 100471 // IVD: 2ebf3d19-4f4d-4628-aa8b-bdce15496770 // VULHUB: VHN-117859

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 2ebf3d19-4f4d-4628-aa8b-bdce15496770 // CNVD: CNVD-2017-22813

AFFECTED PRODUCTS

vendor:	philips	model:	dosewise	scope:	eq	version:	1.1.7.333	Trust: 2.4
vendor:	philips	model:	dosewise	scope:	eq	version:	2.1.1.3069	Trust: 2.4
vendor:	philips	model:	dosewise portal	scope:	gte	version:	1.1.7.333,<=2.1.1.3069	Trust: 0.6
vendor:	philips	model:	dosewise portal	scope:	eq	version:	2.1.1.3069	Trust: 0.3
vendor:	philips	model:	dosewise portal	scope:	eq	version:	1.1.7.333	Trust: 0.3
vendor:	dosewise	model:	-	scope:	eq	version:	1.1.7.333	Trust: 0.2
vendor:	dosewise	model:	-	scope:	eq	version:	2.1.1.3069	Trust: 0.2

sources: IVD: 2ebf3d19-4f4d-4628-aa8b-bdce15496770 // CNVD: CNVD-2017-22813 // BID: 100471 // JVNDB: JVNDB-2017-013354 // CNNVD: CNNVD-201706-581 // NVD: CVE-2017-9656

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9656
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-9656
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-22813
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201706-581
value:	CRITICAL
Trust: 0.6
IVD:	2ebf3d19-4f4d-4628-aa8b-bdce15496770
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-117859
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-9656
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-22813
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	2ebf3d19-4f4d-4628-aa8b-bdce15496770
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-117859
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-9656
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: IVD: 2ebf3d19-4f4d-4628-aa8b-bdce15496770 // CNVD: CNVD-2017-22813 // VULHUB: VHN-117859 // JVNDB: JVNDB-2017-013354 // CNNVD: CNNVD-201706-581 // NVD: CVE-2017-9656

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.9

sources: VULHUB: VHN-117859 // JVNDB: JVNDB-2017-013354 // NVD: CVE-2017-9656

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-581

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201706-581

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013354

PATCH

title:	Philips DoseWise Portal Vulnerabilities (17-AUG-2017)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Patch for the Philips' DoseWise Portal hardcoded vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/100831	Trust: 0.6
title:	Philips DoseWise Portal Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99848	Trust: 0.6

sources: CNVD: CNVD-2017-22813 // JVNDB: JVNDB-2017-013354 // CNNVD: CNNVD-201706-581

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9656	Trust: 3.6
db:	ICS CERT	id:	ICSMA-17-229-01	Trust: 3.4
db:	BID	id:	100471	Trust: 2.0
db:	CNNVD	id:	CNNVD-201706-581	Trust: 0.9
db:	CNVD	id:	CNVD-2017-22813	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-013354	Trust: 0.8
db:	IVD	id:	2EBF3D19-4F4D-4628-AA8B-BDCE15496770	Trust: 0.2
db:	VULHUB	id:	VHN-117859	Trust: 0.1

sources: IVD: 2ebf3d19-4f4d-4628-aa8b-bdce15496770 // CNVD: CNVD-2017-22813 // VULHUB: VHN-117859 // BID: 100471 // JVNDB: JVNDB-2017-013354 // CNNVD: CNNVD-201706-581 // NVD: CVE-2017-9656

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-17-229-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/100471	Trust: 1.7
url:	http://www.philips.com/productsecurity	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9656	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9656	Trust: 0.8
url:	http://www.usa.philips.com/	Trust: 0.3
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.3

sources: CNVD: CNVD-2017-22813 // VULHUB: VHN-117859 // BID: 100471 // JVNDB: JVNDB-2017-013354 // CNNVD: CNNVD-201706-581 // NVD: CVE-2017-9656

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 100471

SOURCES

db:	IVD	id:	2ebf3d19-4f4d-4628-aa8b-bdce15496770
db:	CNVD	id:	CNVD-2017-22813
db:	VULHUB	id:	VHN-117859
db:	BID	id:	100471
db:	JVNDB	id:	JVNDB-2017-013354
db:	CNNVD	id:	CNNVD-201706-581
db:	NVD	id:	CVE-2017-9656

LAST UPDATE DATE

2024-11-23T21:39:01.652000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-22813	date:	2017-08-25T00:00:00
db:	VULHUB	id:	VHN-117859	date:	2019-10-09T00:00:00
db:	BID	id:	100471	date:	2017-08-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-013354	date:	2018-06-22T00:00:00
db:	CNNVD	id:	CNNVD-201706-581	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-9656	date:	2024-11-21T03:36:35.710

SOURCES RELEASE DATE

db:	IVD	id:	2ebf3d19-4f4d-4628-aa8b-bdce15496770	date:	2017-08-25T00:00:00
db:	CNVD	id:	CNVD-2017-22813	date:	2017-08-25T00:00:00
db:	VULHUB	id:	VHN-117859	date:	2018-04-24T00:00:00
db:	BID	id:	100471	date:	2017-08-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-013354	date:	2018-06-22T00:00:00
db:	CNNVD	id:	CNNVD-201706-581	date:	2017-06-15T00:00:00
db:	NVD	id:	CVE-2017-9656	date:	2018-04-24T15:29:00.867