OpenCVE

Vendors	Products
Philips	Intellivue Mx40 Intellivue Mx40 Firmware

Link	Providers
http://www.securityfocus.com/bid/100813
https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01
https://www.usa.philips.com/healthcare/about/customer-support/product-security

{"containers": {"cna": {"affected": [{"product": "IntelliVue MX40 Patient Worn Monitor", "vendor": "Philips", "versions": [{"status": "affected", "version": "IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18"}]}], "datePublic": "2017-09-12T00:00:00", "descriptions": [{"lang": "en", "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-460", "description": "Improper cleanup on thrown exception CWE-460", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-01T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}, {"name": "100813", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100813"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2017-09-12T00:00:00", "ID": "CVE-2017-9657", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IntelliVue MX40 Patient Worn Monitor", "version": {"version_data": [{"version_value": "IntelliVue MX40 Patient Worn Monitor (WLAN only), all versions prior to Version B.06.18"}]}}]}, "vendor_name": "Philips"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper cleanup on thrown exception CWE-460"}]}]}, "references": {"reference_data": [{"name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security", "refsource": "CONFIRM", "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}, {"name": "100813", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100813"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:18:01.347Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}, {"name": "100813", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100813"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-9657", "datePublished": "2018-04-30T15:00:00Z", "dateReserved": "2017-06-14T00:00:00", "dateUpdated": "2024-09-16T16:13:21.087Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:intellivue_mx40_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "493FB2C6-0962-4E8E-BB55-BB02072BEA3B", "versionEndExcluding": "b.06.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:intellivue_mx40:-:*:*:*:*:*:*:*", "matchCriteriaId": "71C26579-482B-4B19-8C5E-71A26A059894", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point."}, {"lang": "es", "value": "Bajo condiciones especiales de la red 802.11, es posible realizar una reasociaci\u00f3n parcial del monitor WLAN Philips IntelliVue MX40 B.06.18 con la estaci\u00f3n central de monitorizaci\u00f3n. En este estado, la estaci\u00f3n central de monitorizaci\u00f3n puede indicar que el MX40 no est\u00e1 conectado o asociado al monitor central y, por lo tanto, deber\u00eda estar funcionando en modo de monitorizaci\u00f3n local (local audio-on, screen-on), pero el propio MX40 WLAN podr\u00eda seguir funcionando en modo telemetr\u00eda (local audio-off, screen-off). Si un paciente experimenta un evento de alarma y el personal cl\u00ednico espera que MX40 proporcione una alarma local cuando no est\u00e1 disponible desde el dispositivo local, el tratamiento podr\u00eda demorarse. Puntuaci\u00f3n base de CVSS v3: 6.5, cadena de vector CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips ha lanzado una actualizaci\u00f3n de software, la versi\u00f3n B.06.18, para solucionar la vulnerabilidad de limpieza indebida de excepci\u00f3n lanzada. Adem\u00e1s, tambi\u00e9n ha implementado mitigaciones para reducir el riesgo asociado con la vulnerabilidad de gesti\u00f3n incorrecta de condiciones excepcionales. La actualizaci\u00f3n de software implementa mensajes y alarmas en el MX40 y en la estaci\u00f3n central de monitorizaci\u00f3n cuando el MX40 se desconecta del punto de acceso."}], "id": "CVE-2017-9657", "lastModified": "2024-11-21T03:36:35.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-30T15:29:00.163", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100813"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100813"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-460"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object