CVE-2017-11578 - OpenCVE

It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Blipcare	Wi-fi Blood Pressure Monitor Wi-fi Blood Pressure Monitor Firmware

Configuration 1 [-]

AND

cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf
https://seclists.org/bugtraq/2019/Jun/8

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-02T20:33:14

Updated: 2024-08-05T18:12:40.629Z

Reserved: 2017-07-23T00:00:00

Link: CVE-2017-11578

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-02T21:15:09.870

Modified: 2019-07-15T13:10:30.407

Link: CVE-2017-11578

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-06-07T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-02T20:33:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11578", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20190609 Newly releases IoT security issues", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"name": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"name": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf", "refsource": "MISC", "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:12:40.629Z"}, "title": "CVE Program Container", "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11578", "datePublished": "2019-07-02T20:33:14", "dateReserved": "2017-07-23T00:00:00", "dateUpdated": "2024-08-05T18:12:40.629Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFBC8640-C65D-4A08-90C9-1DEAEE598C91", "versionEndIncluding": "bp700_10.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB414505-7BE8-463E-B036-16B53ADED4AA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}, {"lang": "es", "value": "Se detect\u00f3 como parte de la investigaci\u00f3n sobre dispositivos IoT en el firmware m\u00e1s reciente para el dispositivo Blipcare, que el dispositivo permite conectarse a la interfaz de administraci\u00f3n web en una conexi\u00f3n no SSL usando el protocolo HTTP de texto plano. El usuario utiliza la interfaz de administraci\u00f3n web del dispositivo para proveer las credenciales Wi-Fi del usuario para que el dispositivo pueda conectarse a \u00e9l y tener acceso a Internet. Este dispositivo act\u00faa como un monitor de presi\u00f3n Sangu\u00ednea Inal\u00e1mbrico y es usado para medir los niveles de presi\u00f3n sangu\u00ednea de una persona. Esto permite a un atacante que est\u00e1 conectado a la red inal\u00e1mbrica del dispositivo Blipcare poder espiar f\u00e1cilmente estos valores mediante un ataque de tipo MITM."}], "id": "CVE-2017-11578", "lastModified": "2019-07-15T13:10:30.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-02T21:15:09.870", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}