CVE-2021-42744 - OpenCVE

Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Philips	Mri 1.5t Mri 1.5t Firmware Mri 3t Mri 3t Firmware

Configuration 1 [-]

AND

cpe:2.3:o:philips:mri_1.5t_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:mri_1.5t:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:philips:mri_3t_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:mri_3t:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01
https://www.usa.philips.com/healthcare/about/customer-support/product-security

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-11-19T18:36:49

Updated: 2024-08-04T03:38:50.147Z

Reserved: 2021-11-11T00:00:00

Link: CVE-2021-42744

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-19T19:15:09.147

Modified: 2022-08-09T14:42:01.877

Link: CVE-2021-42744

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MRI 1.5T", "vendor": "Philips", "versions": [{"status": "affected", "version": "All 5.x.x"}]}, {"product": "MRI 3T", "vendor": "Philips", "versions": [{"status": "affected", "version": "5.x.x"}]}], "credits": [{"lang": "en", "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."}], "descriptions": [{"lang": "en", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-19T18:36:49", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"tags": ["x_refsource_MISC"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}], "source": {"advisory": "ICSMA-21-313-01", "discovery": "EXTERNAL"}, "title": "Philips MRI 1.5T and 3T Information Exposure", "workarounds": [{"lang": "en", "value": "Philips plans a new release to remediate these vulnerabilities by October 2022. As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-42744", "STATE": "PUBLIC", "TITLE": "Philips MRI 1.5T and 3T Information Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MRI 1.5T", "version": {"version_data": [{"version_affected": "=", "version_name": "All", "version_value": "5.x.x"}]}}, {"product_name": "MRI 3T", "version": {"version_data": [{"version_affected": "=", "version_value": "5.x.x"}]}}]}, "vendor_name": "Philips"}]}}, "credit": [{"lang": "eng", "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security", "refsource": "MISC", "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}]}, "source": {"advisory": "ICSMA-21-313-01", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Philips plans a new release to remediate these vulnerabilities by October 2022. As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:38:50.147Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-42744", "datePublished": "2021-11-19T18:36:49", "dateReserved": "2021-11-11T00:00:00", "dateUpdated": "2024-08-04T03:38:50.147Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:mri_1.5t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B195E6-DBA3-44A1-ACD4-4961F62C0B5C", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:mri_1.5t:-:*:*:*:*:*:*:*", "matchCriteriaId": "27C345BC-B71C-4EA3-A7FD-07354F2D9375", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:mri_3t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6E28B57-F160-4463-A019-01C016729B87", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:mri_3t:-:*:*:*:*:*:*:*", "matchCriteriaId": "D61A1A34-1132-47AC-9BBB-06537D59C9FA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}, {"lang": "es", "value": "Philips MRI 1.5T y MRI 3T versi\u00f3n 5.x.x, expone informaci\u00f3n confidencial a un actor no autorizado expl\u00edcitamente a tener acceso"}], "id": "CVE-2021-42744", "lastModified": "2022-08-09T14:42:01.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-11-19T19:15:09.147", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}