CVE-2020-16224 - OpenCVE

In Patient Information Center iX (PICiX) Versions C.02, C.03, the software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Philips	Patient Information Center Ix

Configuration 1 [-]

OR	cpe:2.3:a:philips:patient_information_center_ix:c.02:::::::*
	cpe:2.3:a:philips:patient_information_center_ix:c.03:::::::*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01
https://www.philips.com/productsecurity

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-09-11T13:05:19

Updated: 2024-08-04T13:37:53.948Z

Reserved: 2020-07-31T00:00:00

Link: CVE-2020-16224

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-11T14:15:11.567

Modified: 2023-12-12T21:15:07.887

Link: CVE-2020-16224

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Patient Information Center iX (PICiX)", "vendor": "Philips ", "versions": [{"status": "affected", "version": "C.02"}, {"status": "affected", "version": "C.03"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\nIn Patient Information Center iX (PICiX) Versions C.02, C.03, the \nsoftware parses a formatted message or structure but does not handle or \nincorrectly handles a length field that is inconsistent with the actual \nlength of the associated data, causing the application on the \nsurveillance station to restart.\n\n</p>"}], "value": "In Patient Information Center iX (PICiX) Versions C.02, C.03, the \nsoftware parses a formatted message or structure but does not handle or \nincorrectly handles a length field that is inconsistent with the actual \nlength of the associated data, causing the application on the \nsurveillance station to restart.\n\n\n\n"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-12-12T20:55:58.162Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"}, {"url": "https://www.philips.com/productsecurity"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>Philips released the following versions to remediate reported vulnerabilities:</p>\n<ul>\n<li>Patient Information Center iX (PICiX) Version C.03</li>\n<li>Certificate revocation within the system was implemented for PIC iX.</li></ul>\n\n<br>"}], "value": "Philips released the following versions to remediate reported vulnerabilities:\n\n\n\n * Patient Information Center iX (PICiX) Version C.03\n\n * Certificate revocation within the system was implemented for PIC iX.\n\n\n\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Philips Patient Monitoring Devices Improper Handling of Length Parameter Inconsistency", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>As a mitigation to these vulnerabilities, Philips recommends the following:</p>\n<ul>\n<li>The Philips patient monitoring network is required to be physically \nor logically isolated from the hospital local area network (LAN). \nPhilips recommends using a firewall or routers that can implement access\n control lists restricting access in and out of the patient monitoring \nnetwork for only necessary ports and IP addresses. Refer to the Philips \nPatient Monitoring System Security for Clinical Networks guide for \nadditional information on <a target=\"_blank\" rel=\"nofollow\" href=\"https://incenter.medical.philips.com/\">InCenter</a>.</li>\n<li>By default, the simple certificate enrollment protocol (SCEP) \nservice is not running. When needed, the service is configured to run \nbased on the duration or the number of certificates to be assigned. One \ncertificate is default, but if a certificate is not issued, the service \nwill continue to run. Limit exposure by ensuring the SCEP service is not\n running unless it is actively being used to enroll new devices.</li>\n<li>When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits.</li>\n<li>Implement physical security controls to prevent unauthorized login \nattempts on the PIC iX application. Servers should be kept in controlled\n locked data centers. Access to equipment at nurses\u2019 stations should be \ncontrolled and monitored.</li>\n<li>Only grant remote access to PIC iX servers on a must-have basis.</li>\n<li>Grant login privileges to the bedside monitor and PIC iX application\n on a role-based, least-privilege basis, and only to trusted users.</li>\n</ul>\n<p>Users with questions regarding their specific Philips Patient \nInformation Center (PIC iX) and/or IntelliVue patient monitor \ninstallations and new release eligibility should contact their local <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\">Philips service support team, or regional service support</a>, or call 1-800-722-9377.</p>\n<p>Please see the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\">Philips product security website</a> for the Philips advisory and the latest security information for Philips products.</p>\n\n<br>"}], "value": "As a mitigation to these vulnerabilities, Philips recommends the following:\n\n\n\n * The Philips patient monitoring network is required to be physically \nor logically isolated from the hospital local area network (LAN). \nPhilips recommends using a firewall or routers that can implement access\n control lists restricting access in and out of the patient monitoring \nnetwork for only necessary ports and IP addresses. Refer to the Philips \nPatient Monitoring System Security for Clinical Networks guide for \nadditional information on InCenter https://incenter.medical.philips.com/ .\n\n * By default, the simple certificate enrollment protocol (SCEP) \nservice is not running. When needed, the service is configured to run \nbased on the duration or the number of certificates to be assigned. One \ncertificate is default, but if a certificate is not issued, the service \nwill continue to run. Limit exposure by ensuring the SCEP service is not\n running unless it is actively being used to enroll new devices.\n\n * When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits.\n\n * Implement physical security controls to prevent unauthorized login \nattempts on the PIC iX application. Servers should be kept in controlled\n locked data centers. Access to equipment at nurses\u2019 stations should be \ncontrolled and monitored.\n\n * Only grant remote access to PIC iX servers on a must-have basis.\n\n * Grant login privileges to the bedside monitor and PIC iX application\n on a role-based, least-privilege basis, and only to trusted users.\n\n\n\n\nUsers with questions regarding their specific Philips Patient \nInformation Center (PIC iX) and/or IntelliVue patient monitor \ninstallations and new release eligibility should contact their local Philips service support team, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377.\n\n\nPlease see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.\n\n\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-16224", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Philips Patient Information Center iX (PICiX), PerformanceBridge Focal Point, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90, IntelliVue X3 and X2.", "version": {"version_data": [{"version_value": "Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:53.948Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"}, {"url": "https://www.philips.com/productsecurity", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-16224", "datePublished": "2020-09-11T13:05:19", "dateReserved": "2020-07-31T00:00:00", "dateUpdated": "2024-08-04T13:37:53.948Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:philips:patient_information_center_ix:c.02:*:*:*:*:*:*:*", "matchCriteriaId": "F3220AB2-AC0D-4AC2-90D8-76C02FC693EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:patient_information_center_ix:c.03:*:*:*:*:*:*:*", "matchCriteriaId": "AE1FB3E9-E269-434A-B1C2-D54C40F437BE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Patient Information Center iX (PICiX) Versions C.02, C.03, the \nsoftware parses a formatted message or structure but does not handle or \nincorrectly handles a length field that is inconsistent with the actual \nlength of the associated data, causing the application on the \nsurveillance station to restart.\n\n\n\n"}, {"lang": "es", "value": "Patient Information Center iX (PICiX) Versiones B.02, C.02, C.03, PerformanceBridge Focal Point Versi\u00f3n A.01, monitores de paciente IntelliVue MX100, MX400-MX850 y MP2-MP90 Versiones N y anteriores, IntelliVue X3 y X2 Versiones N y anteriores. El software analiza una estructura o mensaje formateado, pero no maneja o maneja incorrectamente un campo de longitud que no es consistente con la longitud real de los datos asociados, causando que la aplicaci\u00f3n en la estaci\u00f3n de supervisi\u00f3n se reinicie"}], "id": "CVE-2020-16224", "lastModified": "2023-12-12T21:15:07.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-11T14:15:11.567", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.philips.com/productsecurity"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}