Details of VAR-202009-0595

ID

VAR-202009-0595

CVE

CVE-2020-16228

TITLE

Patient Information Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

DESCRIPTION

In Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior, the software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03

Trust: 1.08

sources: NVD: CVE-2020-16228 // VULHUB: VHN-169285 // VULMON: CVE-2020-16228

AFFECTED PRODUCTS

vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.03	Trust: 1.0
vendor:	philips	model:	intellivue x2	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx800	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.02	Trust: 1.0
vendor:	philips	model:	intellivue mx400	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	performancebridge focal point	scope:	eq	version:	a.01	Trust: 1.0
vendor:	philips	model:	intellivue mx100	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx600	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx700	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx750	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mp2-mp90	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx850	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	intellivue mx550	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	b.02	Trust: 1.0
vendor:	philips	model:	intellivue x3	scope:	eq	version:	-	Trust: 1.0

sources: NVD: CVE-2020-16228

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-16228
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202009-677
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-169285
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-16228
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-16228
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-169285
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-16228
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	0.9
impactScore:	5.5
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

PROBLEMTYPE DATA

problemtype:

CWE-299

Trust: 1.1

sources: VULHUB: VHN-169285 // NVD: CVE-2020-16228

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

PATCH

title:

Patient Information Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128120

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

EXTERNAL IDS

db:	NVD	id:	CVE-2020-16228	Trust: 1.8
db:	ICS CERT	id:	ICSMA-20-254-01	Trust: 1.8
db:	CNNVD	id:	CNNVD-202009-677	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3140	Trust: 0.6
db:	VULHUB	id:	VHN-169285	Trust: 0.1
db:	VULMON	id:	CVE-2020-16228	Trust: 0.1

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01	Trust: 2.4
url:	https://www.philips.com/productsecurity	Trust: 1.0
url:	https://www.auscert.org.au/bulletins/esb-2020.3140/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-16228	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/299.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

SOURCES

db:	VULHUB	id:	VHN-169285
db:	VULMON	id:	CVE-2020-16228
db:	CNNVD	id:	CNNVD-202009-677
db:	NVD	id:	CVE-2020-16228

LAST UPDATE DATE

2024-08-14T13:43:56.186000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-169285	date:	2020-09-15T00:00:00
db:	VULMON	id:	CVE-2020-16228	date:	2020-09-15T00:00:00
db:	CNNVD	id:	CNNVD-202009-677	date:	2021-09-01T00:00:00
db:	NVD	id:	CVE-2020-16228	date:	2023-12-12T21:15:07.970

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-169285	date:	2020-09-11T00:00:00
db:	VULMON	id:	CVE-2020-16228	date:	2020-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202009-677	date:	2020-09-10T00:00:00
db:	NVD	id:	CVE-2020-16228	date:	2020-09-11T13:15:11.377