Details of VAR-201804-0780

ID

VAR-201804-0780

CVE

CVE-2017-9657

TITLE

Philips IntelliVue MX40 Data processing vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-013369

DESCRIPTION

Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point. Philips IntelliVue MX40 Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The MX40 Patient Worn Monitor is primarily used as a traditional telemetry medical device as part of a surveillance and alarm system. Philips IntelliView MX40 Patient Worn Monitor is prone to multiple denial-of-service vulnerabilities. Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions. Versions prior to Philips IntelliView MX40 Patient Worn Monitor B.06.18 are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-9657 // JVNDB: JVNDB-2017-013369 // CNVD: CNVD-2017-26428 // BID: 100813 // IVD: 45eefca3-087c-45ad-b591-845fcd17fed1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 45eefca3-087c-45ad-b591-845fcd17fed1 // CNVD: CNVD-2017-26428

AFFECTED PRODUCTS

vendor:	philips	model:	intellivue mx40	scope:	lt	version:	b.06.18	Trust: 1.0
vendor:	philips	model:	intellivue mx40	scope:	eq	version:	b.06.18	Trust: 0.8
vendor:	philips	model:	intellivue mx40 patient worn monitor <b.06.18	scope:	-	version:	-	Trust: 0.6
vendor:	philips	model:	intelliview mx40 patient worn monitor	scope:	eq	version:	0	Trust: 0.3
vendor:	philips	model:	intelliview mx40 patient worn monitor b.06.18	scope:	ne	version:	-	Trust: 0.3
vendor:	intellivue mx40	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 45eefca3-087c-45ad-b591-845fcd17fed1 // CNVD: CNVD-2017-26428 // BID: 100813 // JVNDB: JVNDB-2017-013369 // NVD: CVE-2017-9657

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9657
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-9657
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-26428
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201706-580
value:	MEDIUM
Trust: 0.6
IVD:	45eefca3-087c-45ad-b591-845fcd17fed1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-9657
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-26428
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	45eefca3-087c-45ad-b591-845fcd17fed1
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-9657
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: 45eefca3-087c-45ad-b591-845fcd17fed1 // CNVD: CNVD-2017-26428 // JVNDB: JVNDB-2017-013369 // CNNVD: CNNVD-201706-580 // NVD: CVE-2017-9657

PROBLEMTYPE DATA

problemtype:	CWE-755	Trust: 1.0
problemtype:	CWE-460	Trust: 1.0
problemtype:	CWE-19	Trust: 0.8

sources: JVNDB: JVNDB-2017-013369 // NVD: CVE-2017-9657

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201706-580

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201706-580

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013369

PATCH

title:	Philips IntelliVue MX40 WLAN Patient Wearable Monitor Vulnerabilities (11-SEP-2017)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Philips' IntelliView MX40 Patient Worn Monitor has an unexplained patch	url:	https://www.cnvd.org.cn/patchInfo/show/102127	Trust: 0.6
title:	Philips IntelliVue MX40 Patient Worn Monitor Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99852	Trust: 0.6

sources: CNVD: CNVD-2017-26428 // JVNDB: JVNDB-2017-013369 // CNNVD: CNNVD-201706-580

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9657	Trust: 3.5
db:	ICS CERT	id:	ICSMA-17-255-01	Trust: 3.3
db:	BID	id:	100813	Trust: 1.9
db:	CNVD	id:	CNVD-2017-26428	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-580	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-013369	Trust: 0.8
db:	IVD	id:	45EEFCA3-087C-45AD-B591-845FCD17FED1	Trust: 0.2

sources: IVD: 45eefca3-087c-45ad-b591-845fcd17fed1 // CNVD: CNVD-2017-26428 // BID: 100813 // JVNDB: JVNDB-2017-013369 // CNNVD: CNNVD-201706-580 // NVD: CVE-2017-9657

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-17-255-01	Trust: 3.3
url:	http://www.securityfocus.com/bid/100813	Trust: 1.6
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9657	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9657	Trust: 0.8
url:	http://www.usa.philips.com/	Trust: 0.3

sources: CNVD: CNVD-2017-26428 // BID: 100813 // JVNDB: JVNDB-2017-013369 // CNNVD: CNNVD-201706-580 // NVD: CVE-2017-9657

CREDITS

The vendor has reported the issue.

Trust: 0.3

sources: BID: 100813

SOURCES

db:	IVD	id:	45eefca3-087c-45ad-b591-845fcd17fed1
db:	CNVD	id:	CNVD-2017-26428
db:	BID	id:	100813
db:	JVNDB	id:	JVNDB-2017-013369
db:	CNNVD	id:	CNNVD-201706-580
db:	NVD	id:	CVE-2017-9657

LAST UPDATE DATE

2024-11-23T22:22:07.106000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-26428	date:	2017-09-13T00:00:00
db:	BID	id:	100813	date:	2017-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-013369	date:	2018-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201706-580	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-9657	date:	2024-11-21T03:36:35.823

SOURCES RELEASE DATE

db:	IVD	id:	45eefca3-087c-45ad-b591-845fcd17fed1	date:	2017-09-13T00:00:00
db:	CNVD	id:	CNVD-2017-26428	date:	2017-09-13T00:00:00
db:	BID	id:	100813	date:	2017-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-013369	date:	2018-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201706-580	date:	2017-09-12T00:00:00
db:	NVD	id:	CVE-2017-9657	date:	2018-04-30T15:29:00.163