Sign-up

ID

VAR-201811-0058


CVE

CVE-2018-18561


TITLE

plural Roche Authentication vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-012878

DESCRIPTION

An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system. plural Roche The product contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RocheAccu-ChekInformIIBaseUnit/BaseUnitHub and CoaguChek/cobash232HandheldBaseUnit are hand-held blood test medical devices from Roche, Switzerland. A security vulnerability exists in versions prior to RocheAccu-ChekInformIIBaseUnit/BaseUnitHub03.01.04 and in versions prior to CoaguChek/cobash232HandheldBaseUnit03.01.04. The vulnerability stems from the failure of the program to assign security. Multiple Roche Point of Care Handheld Medical Services are prone to the following security vulnerabilities: 1. An authentication bypass vulnerability 2. An OS command-injection vulnerability 3. An arbitrary file-upload vulnerability 4. A remote code-execution vulnerability 5

Trust: 2.61

sources: NVD: CVE-2018-18561 // JVNDB: JVNDB-2018-012878 // CNVD: CNVD-2018-25294 // BID: 105843 // IVD: 7d806042-463f-11e9-9ab2-000c29342cb1

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 7d806042-463f-11e9-9ab2-000c29342cb1 // CNVD: CNVD-2018-25294

AFFECTED PRODUCTS

vendor:rochemodel:base unit hubscope:ltversion:03.01.04

Trust: 1.0

vendor:rochemodel:coaguchekscope:ltversion:03.01.04

Trust: 1.0

vendor:rochemodel:cobas h 232scope:ltversion:03.01.04

Trust: 1.0

vendor:rochemodel:accu-chek inform iiscope:ltversion:03.01.04

Trust: 1.0

vendor:roche diagnosticsmodel:accu-chek inform iiscope:ltversion:03.01.04

Trust: 0.8

vendor:roche diagnosticsmodel:base unit hubscope:ltversion:03.01.04

Trust: 0.8

vendor:roche diagnosticsmodel:coaguchekscope:ltversion:03.01.04

Trust: 0.8

vendor:roche diagnosticsmodel:cobas h 232scope:ltversion:03.01.04

Trust: 0.8

vendor:rochemodel:accu-chek inform ii base unit/base unit hubscope:ltversion:03.01.04

Trust: 0.6

vendor:rochemodel:coaguchek/cobas h232 handheld base unitscope:ltversion:03.01.04

Trust: 0.6

vendor:rochemodel:cobas hscope:eqversion:2320

Trust: 0.3

vendor:rochemodel:coaguchek xs proscope:eqversion:0

Trust: 0.3

vendor:rochemodel:coaguchek xs plusscope:eqversion:0

Trust: 0.3

vendor:rochemodel:coaguchek pro iiscope:eqversion:0

Trust: 0.3

vendor:rochemodel:coaguchekscope:eqversion:0

Trust: 0.3

vendor:rochemodel:accu-chek inform ii instrumentscope:eqversion:0

Trust: 0.3

vendor:rochemodel:cobas hscope:neversion:2324.0.4

Trust: 0.3

vendor:rochemodel:cobas hscope:neversion:2323.1.4

Trust: 0.3

vendor:rochemodel:cobas hscope:neversion:2323.1.3

Trust: 0.3

vendor:rochemodel:coaguchek xs proscope:neversion:3.1.6

Trust: 0.3

vendor:rochemodel:coaguchek xs plusscope:neversion:3.1.6

Trust: 0.3

vendor:rochemodel:coaguchek pro iiscope:neversion:4.3

Trust: 0.3

vendor:rochemodel:coaguchekscope:neversion:3.1.4

Trust: 0.3

vendor:rochemodel:accu-chek inform ii instrumentscope:neversion:3.6

Trust: 0.3

vendor:accu chek inform iimodel: - scope:eqversion:*

Trust: 0.2

vendor:cobas h 232model: - scope:eqversion:*

Trust: 0.2

vendor:coaguchekmodel: - scope:eqversion:*

Trust: 0.2

vendor:base unit hubmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 7d806042-463f-11e9-9ab2-000c29342cb1 // CNVD: CNVD-2018-25294 // BID: 105843 // JVNDB: JVNDB-2018-012878 // NVD: CVE-2018-18561

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18561
value: HIGH

Trust: 1.0

NVD: CVE-2018-18561
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-25294
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201811-114
value: HIGH

Trust: 0.6

IVD: 7d806042-463f-11e9-9ab2-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2018-18561
severity: HIGH
baseScore: 7.7
vectorString: AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 5.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-25294
severity: MEDIUM
baseScore: 6.1
vectorString: AV:A/AC:L/AU:N/C:C/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d806042-463f-11e9-9ab2-000c29342cb1
severity: MEDIUM
baseScore: 6.1
vectorString: AV:A/AC:L/AU:N/C:C/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-18561
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 7d806042-463f-11e9-9ab2-000c29342cb1 // CNVD: CNVD-2018-25294 // JVNDB: JVNDB-2018-012878 // CNNVD: CNNVD-201811-114 // NVD: CVE-2018-18561

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2018-012878 // NVD: CVE-2018-18561

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201811-114

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201811-114

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012878

PATCH
title:Top Pageurl:https://diagnostics.roche.com/us/en/home.html
Trust: 0.8
title:Roche Accu-Chek Inform II Base Unit/Base Unit Hub  and CoaguChek/cobas h232 Handheld Base Unit Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126829
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-012878 // 
            
            
            
            CNNVD: CNNVD-201811-114

EXTERNAL IDS
db:NVDid:CVE-2018-18561
Trust: 3.5
db:ICS CERTid:ICSMA-18-310-01
Trust: 3.3
db:BIDid:105843
Trust: 2.5
db:CNVDid:CNVD-2018-25294
Trust: 0.8
db:CNNVDid:CNNVD-201811-114
Trust: 0.8
db:JVNDBid:JVNDB-2018-012878
Trust: 0.8
db:IVDid:7D806042-463F-11E9-9AB2-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: 7d806042-463f-11e9-9ab2-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-25294 // 
            
            
            
            BID: 105843 // 
            
            
            
            JVNDB: JVNDB-2018-012878 // 
            
            
            
            CNNVD: CNNVD-201811-114 // 
            
            
            
            NVD: CVE-2018-18561

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsma-18-310-01
Trust: 3.3
url:http://www.securityfocus.com/bid/105843
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18561
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-18561
Trust: 0.8
url:https://www.roche.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-25294 // 
            
            
            
            BID: 105843 // 
            
            
            
            JVNDB: JVNDB-2018-012878 // 
            
            
            
            CNNVD: CNNVD-201811-114 // 
            
            
            
            NVD: CVE-2018-18561

CREDITS
Niv Yehezkel of Medigate
Trust: 0.3
sources:
            
            
            BID: 105843

SOURCES
db:IVDid:7d806042-463f-11e9-9ab2-000c29342cb1
db:CNVDid:CNVD-2018-25294
db:BIDid:105843
db:JVNDBid:JVNDB-2018-012878
db:CNNVDid:CNNVD-201811-114
db:NVDid:CVE-2018-18561

LAST UPDATE DATE
2024-11-23T21:52:40.371000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-25294date:2018-12-14T00:00:00
db:BIDid:105843date:2018-11-06T00:00:00
db:JVNDBid:JVNDB-2018-012878date:2019-02-08T00:00:00
db:CNNVDid:CNNVD-201811-114date:2020-10-22T00:00:00
db:NVDid:CVE-2018-18561date:2024-11-21T03:56:09.517

SOURCES RELEASE DATE
db:IVDid:7d806042-463f-11e9-9ab2-000c29342cb1date:2018-12-14T00:00:00
db:CNVDid:CNVD-2018-25294date:2018-12-14T00:00:00
db:BIDid:105843date:2018-11-06T00:00:00
db:JVNDBid:JVNDB-2018-012878date:2019-02-08T00:00:00
db:CNNVDid:CNNVD-201811-114date:2018-11-07T00:00:00
db:NVDid:CVE-2018-18561date:2018-11-20T19:29:00.713