Details of VAR-201809-1094

ID

VAR-201809-1094

CVE

CVE-2018-8856

TITLE

Philips e-Alert Unit Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2018-010700

DESCRIPTION

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software contains hard-coded cryptographic key, which it uses for encryption of internal data. Philips e-Alert Unit Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. An attacker could exploit this to obtain sensitive information

Trust: 1.98

sources: NVD: CVE-2018-8856 // JVNDB: JVNDB-2018-010700 // BID: 105194 // VULHUB: VHN-138888

AFFECTED PRODUCTS

vendor:	philips	model:	e-alert	scope:	lte	version:	r2.1	Trust: 1.8
vendor:	philips	model:	e-alert	scope:	eq	version:	r2.1	Trust: 0.6
vendor:	philips	model:	e-alert r2.1	scope:	-	version:	-	Trust: 0.3
vendor:	philips	model:	e-alert r2	scope:	-	version:	-	Trust: 0.3

sources: BID: 105194 // JVNDB: JVNDB-2018-010700 // CNNVD: CNNVD-201809-118 // NVD: CVE-2018-8856

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8856
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-8856
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201809-118
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138888
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-8856
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-138888
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8856
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-138888 // JVNDB: JVNDB-2018-010700 // CNNVD: CNNVD-201809-118 // NVD: CVE-2018-8856

PROBLEMTYPE DATA

problemtype:

CWE-798

Trust: 1.9

sources: VULHUB: VHN-138888 // JVNDB: JVNDB-2018-010700 // NVD: CVE-2018-8856

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-118

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201809-118

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010700

PATCH

title:	Philips e-Alert Unit Vulnerabilities (30-AUG-2018)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Philips e-Alert Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84479	Trust: 0.6

sources: JVNDB: JVNDB-2018-010700 // CNNVD: CNNVD-201809-118

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8856	Trust: 2.8
db:	ICS CERT	id:	ICSA-18-242-01	Trust: 2.2
db:	BID	id:	105194	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-010700	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-118	Trust: 0.7
db:	VULHUB	id:	VHN-138888	Trust: 0.1

sources: VULHUB: VHN-138888 // BID: 105194 // JVNDB: JVNDB-2018-010700 // CNNVD: CNNVD-201809-118 // NVD: CVE-2018-8856

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-242-01	Trust: 2.2
url:	http://www.securityfocus.com/bid/105194	Trust: 1.7
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8856	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8856	Trust: 0.8

sources: VULHUB: VHN-138888 // BID: 105194 // JVNDB: JVNDB-2018-010700 // CNNVD: CNNVD-201809-118 // NVD: CVE-2018-8856

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105194

SOURCES

db:	VULHUB	id:	VHN-138888
db:	BID	id:	105194
db:	JVNDB	id:	JVNDB-2018-010700
db:	CNNVD	id:	CNNVD-201809-118
db:	NVD	id:	CVE-2018-8856

LAST UPDATE DATE

2024-11-23T22:26:13.167000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138888	date:	2018-11-21T00:00:00
db:	BID	id:	105194	date:	2018-08-30T00:00:00
db:	JVNDB	id:	JVNDB-2018-010700	date:	2018-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201809-118	date:	2018-09-30T00:00:00
db:	NVD	id:	CVE-2018-8856	date:	2024-11-21T04:14:27.820

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138888	date:	2018-09-26T00:00:00
db:	BID	id:	105194	date:	2018-08-30T00:00:00
db:	JVNDB	id:	JVNDB-2018-010700	date:	2018-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201809-118	date:	2018-09-04T00:00:00
db:	NVD	id:	CVE-2018-8856	date:	2018-09-26T19:29:03.347