Details of VAR-201805-0938

ID

VAR-201805-0938

CVE

CVE-2018-8853

TITLE

plural Philips Vulnerabilities related to authorization, authority, and access control in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-004911

DESCRIPTION

Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system. Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, or an attacker to potentially attain unauthorized elevated privileges in Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior. Also, attackers may gain access to unauthorized resources from the underlying Windows operating system. plural Philips The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips Brilliance64 and others are CT scanners from Philips, the Netherlands. There are security holes in several Philips BrillianceCT devices. Philips Brilliance Computed Tomography Systems are prone to the following security vulnerabilities: 1. A local privilege-escalation vulnerability. 2. Multiple local information-disclosure vulnerabilities An attacker may leverage these issues to obtain sensitive information, gain elevated privileges; this can result in arbitrary code execution within the context of the vulnerable application. Failed exploit attempts will likely cause denial-of-service conditions. Philips Brilliance 64 etc

Trust: 2.7

sources: NVD: CVE-2018-8853 // JVNDB: JVNDB-2018-004911 // CNVD: CNVD-2018-09237 // BID: 104088 // IVD: e2eeea51-39ab-11e9-b970-000c29342cb1 // VULHUB: VHN-138885

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2eeea51-39ab-11e9-b970-000c29342cb1 // CNVD: CNVD-2018-09237

AFFECTED PRODUCTS

vendor:	philips	model:	brilliance 64	scope:	lte	version:	2.6.2	Trust: 1.8
vendor:	philips	model:	brilliance ct big bore	scope:	lte	version:	2.3.5	Trust: 1.8
vendor:	philips	model:	brilliance ict	scope:	lte	version:	4.1.6	Trust: 1.8
vendor:	philips	model:	brilliance ict sp	scope:	lte	version:	3.2.4	Trust: 1.0
vendor:	philips	model:	brilliance ict	scope:	eq	version:	4.1.6	Trust: 0.9
vendor:	philips	model:	brilliance ct big bore	scope:	eq	version:	2.3.5	Trust: 0.9
vendor:	philips	model:	brillance ict sp	scope:	lte	version:	3.2.4	Trust: 0.8
vendor:	philips	model:	brilliance	scope:	eq	version:	64<=2.6.2	Trust: 0.6
vendor:	philips	model:	brilliance ict	scope:	lte	version:	<=4.1.6	Trust: 0.6
vendor:	philips	model:	brillance ict sp	scope:	lte	version:	<=3.2.4	Trust: 0.6
vendor:	philips	model:	brilliance ct big bore	scope:	lte	version:	<=2.3.5	Trust: 0.6
vendor:	philips	model:	brilliance ict sp	scope:	eq	version:	3.2.4	Trust: 0.6
vendor:	philips	model:	brilliance 64	scope:	eq	version:	2.6.2	Trust: 0.6
vendor:	philips	model:	brilliance	scope:	eq	version:	642.6.2	Trust: 0.3
vendor:	philips	model:	brillance ict sp	scope:	eq	version:	3.2.4	Trust: 0.3
vendor:	brilliance 64	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	brilliance ict sp	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	brilliance ict	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	brilliance ct big bore	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2eeea51-39ab-11e9-b970-000c29342cb1 // CNVD: CNVD-2018-09237 // BID: 104088 // JVNDB: JVNDB-2018-004911 // CNNVD: CNNVD-201805-180 // NVD: CVE-2018-8853

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8853
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-8853
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-09237
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201805-180
value:	HIGH
Trust: 0.6
IVD:	e2eeea51-39ab-11e9-b970-000c29342cb1
value:	HIGH
Trust: 0.2
VULHUB:	VHN-138885
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-8853
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-09237
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:L/AC:L/AU:N/C:C/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2eeea51-39ab-11e9-b970-000c29342cb1
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:L/AC:L/AU:N/C:C/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-138885
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8853
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.0
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: IVD: e2eeea51-39ab-11e9-b970-000c29342cb1 // CNVD: CNVD-2018-09237 // VULHUB: VHN-138885 // JVNDB: JVNDB-2018-004911 // CNNVD: CNNVD-201805-180 // NVD: CVE-2018-8853

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-250	Trust: 1.0
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-138885 // JVNDB: JVNDB-2018-004911 // NVD: CVE-2018-8853

THREAT TYPE

local

Trust: 0.9

sources: BID: 104088 // CNNVD: CNNVD-201805-180

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201805-180

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004911

PATCH

title:	Philips CT Imaging System Vulnerabilities (1-MAY-2018)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Patch for PhilipsBrillianceCTScanners Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/128569	Trust: 0.6

sources: CNVD: CNVD-2018-09237 // JVNDB: JVNDB-2018-004911

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8853	Trust: 3.6
db:	ICS CERT	id:	ICSMA-18-123-01	Trust: 3.4
db:	BID	id:	104088	Trust: 2.6
db:	CNVD	id:	CNVD-2018-09237	Trust: 0.8
db:	CNNVD	id:	CNNVD-201805-180	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-004911	Trust: 0.8
db:	IVD	id:	E2EEEA51-39AB-11E9-B970-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-138885	Trust: 0.1

sources: IVD: e2eeea51-39ab-11e9-b970-000c29342cb1 // CNVD: CNVD-2018-09237 // VULHUB: VHN-138885 // BID: 104088 // JVNDB: JVNDB-2018-004911 // CNNVD: CNNVD-201805-180 // NVD: CVE-2018-8853

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-18-123-01	Trust: 3.4
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 2.3
url:	http://www.securityfocus.com/bid/104088	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8853	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8853	Trust: 0.8
url:	https://www.securityfocus.com/bid/104088/solution	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsma-18-123-01	Trust: 0.6
url:	http://www.usa.philips.com/	Trust: 0.3

sources: CNVD: CNVD-2018-09237 // VULHUB: VHN-138885 // BID: 104088 // JVNDB: JVNDB-2018-004911 // CNNVD: CNNVD-201805-180 // NVD: CVE-2018-8853

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 104088

SOURCES

db:	IVD	id:	e2eeea51-39ab-11e9-b970-000c29342cb1
db:	CNVD	id:	CNVD-2018-09237
db:	VULHUB	id:	VHN-138885
db:	BID	id:	104088
db:	JVNDB	id:	JVNDB-2018-004911
db:	CNNVD	id:	CNNVD-201805-180
db:	NVD	id:	CVE-2018-8853

LAST UPDATE DATE

2024-11-23T22:41:50.829000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-09237	date:	2018-05-10T00:00:00
db:	VULHUB	id:	VHN-138885	date:	2019-10-09T00:00:00
db:	BID	id:	104088	date:	2018-05-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-004911	date:	2018-06-29T00:00:00
db:	CNNVD	id:	CNNVD-201805-180	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8853	date:	2024-11-21T04:14:27.400

SOURCES RELEASE DATE

db:	IVD	id:	e2eeea51-39ab-11e9-b970-000c29342cb1	date:	2018-05-10T00:00:00
db:	CNVD	id:	CNVD-2018-09237	date:	2018-05-09T00:00:00
db:	VULHUB	id:	VHN-138885	date:	2018-05-04T00:00:00
db:	BID	id:	104088	date:	2018-05-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-004911	date:	2018-06-29T00:00:00
db:	CNNVD	id:	CNNVD-201805-180	date:	2018-05-07T00:00:00
db:	NVD	id:	CVE-2018-8853	date:	2018-05-04T17:29:00.427