Details of VAR-201804-0781

ID

VAR-201804-0781

CVE

CVE-2017-9658

TITLE

Philips IntelliVue MX40 Data processing vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-013370

DESCRIPTION

Certain 802.11 network management messages have been determined to invoke wireless access point blacklisting security defenses when not required, which can necessitate intervention by hospital staff to reset the device and reestablish a network connection to the Wi-Fi access point. During this state, the Philips IntelliVue MX40 Version B.06.18 can either connect to an alternative access point within signal range for association to a central monitoring station, or it can remain in local monitoring mode until the device is reset by hospital staff. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point. Philips IntelliVue MX40 Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The MX40 Patient Worn Monitor is primarily used as a traditional telemetry medical device as part of a surveillance and alarm system. Philips IntelliView MX40 Patient Worn Monitor is prone to multiple denial-of-service vulnerabilities. Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions. Versions prior to Philips IntelliView MX40 Patient Worn Monitor B.06.18 are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-9658 // JVNDB: JVNDB-2017-013370 // CNVD: CNVD-2017-26427 // BID: 100813 // IVD: 47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c // CNVD: CNVD-2017-26427

AFFECTED PRODUCTS

vendor:	philips	model:	intellivue mx40	scope:	lt	version:	b.06.18	Trust: 1.0
vendor:	philips	model:	intellivue mx40	scope:	eq	version:	b.06.18	Trust: 0.8
vendor:	philips	model:	intellivue mx40 patient worn monitor <b.06.18	scope:	-	version:	-	Trust: 0.6
vendor:	philips	model:	intelliview mx40 patient worn monitor	scope:	eq	version:	0	Trust: 0.3
vendor:	philips	model:	intelliview mx40 patient worn monitor b.06.18	scope:	ne	version:	-	Trust: 0.3
vendor:	intellivue mx40	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c // CNVD: CNVD-2017-26427 // BID: 100813 // JVNDB: JVNDB-2017-013370 // NVD: CVE-2017-9658

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9658
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-9658
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-26427
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201706-579
value:	MEDIUM
Trust: 0.6
IVD:	47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-9658
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-26427
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:N/I:N/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-9658
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: 47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c // CNVD: CNVD-2017-26427 // JVNDB: JVNDB-2017-013370 // CNNVD: CNNVD-201706-579 // NVD: CVE-2017-9658

PROBLEMTYPE DATA

problemtype:	CWE-755	Trust: 1.0
problemtype:	CWE-19	Trust: 0.8

sources: JVNDB: JVNDB-2017-013370 // NVD: CVE-2017-9658

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201706-579

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201706-579

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013370

PATCH

title:	Philips IntelliVue MX40 WLAN Patient Wearable Monitor Vulnerabilities (11-SEP-2017)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Patch for Unknown Vulnerability (CNVD-2017-26427) for Philips' IntelliView MX40 Patient Worn Monitor	url:	https://www.cnvd.org.cn/patchInfo/show/102126	Trust: 0.6
title:	Philips IntelliVue MX40 Patient Worn Monitor Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99847	Trust: 0.6

sources: CNVD: CNVD-2017-26427 // JVNDB: JVNDB-2017-013370 // CNNVD: CNNVD-201706-579

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9658	Trust: 3.5
db:	ICS CERT	id:	ICSMA-17-255-01	Trust: 3.3
db:	BID	id:	100813	Trust: 1.9
db:	CNVD	id:	CNVD-2017-26427	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-579	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-013370	Trust: 0.8
db:	IVD	id:	47B90CEB-D6EC-4DCD-A16C-05EFA4ACFE6C	Trust: 0.2

sources: IVD: 47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c // CNVD: CNVD-2017-26427 // BID: 100813 // JVNDB: JVNDB-2017-013370 // CNNVD: CNNVD-201706-579 // NVD: CVE-2017-9658

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-17-255-01	Trust: 3.3
url:	http://www.securityfocus.com/bid/100813	Trust: 1.6
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9658	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9658	Trust: 0.8
url:	http://www.usa.philips.com/	Trust: 0.3

sources: CNVD: CNVD-2017-26427 // BID: 100813 // JVNDB: JVNDB-2017-013370 // CNNVD: CNNVD-201706-579 // NVD: CVE-2017-9658

CREDITS

The vendor has reported the issue.

Trust: 0.3

sources: BID: 100813

SOURCES

db:	IVD	id:	47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c
db:	CNVD	id:	CNVD-2017-26427
db:	BID	id:	100813
db:	JVNDB	id:	JVNDB-2017-013370
db:	CNNVD	id:	CNNVD-201706-579
db:	NVD	id:	CVE-2017-9658

LAST UPDATE DATE

2024-11-23T22:22:07.071000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-26427	date:	2017-09-13T00:00:00
db:	BID	id:	100813	date:	2017-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-013370	date:	2018-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201706-579	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-9658	date:	2024-11-21T03:36:35.940

SOURCES RELEASE DATE

db:	IVD	id:	47b90ceb-d6ec-4dcd-a16c-05efa4acfe6c	date:	2017-09-13T00:00:00
db:	CNVD	id:	CNVD-2017-26427	date:	2017-09-13T00:00:00
db:	BID	id:	100813	date:	2017-09-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-013370	date:	2018-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201706-579	date:	2017-09-12T00:00:00
db:	NVD	id:	CVE-2017-9658	date:	2018-04-30T15:29:00.227