ID

VAR-202009-0595


CVE

CVE-2020-16228


TITLE

Patient Information Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

DESCRIPTION

In Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior, the software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03

Trust: 1.08

sources: NVD: CVE-2020-16228 // VULHUB: VHN-169285 // VULMON: CVE-2020-16228

AFFECTED PRODUCTS

vendor:philipsmodel:intellivue mx600scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mx750scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue x2scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mx550scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mx800scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mx700scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue x3scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mx400scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:b.02

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.02

Trust: 1.0

vendor:philipsmodel:intellivue mx100scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:intellivue mp2-mp90scope:eqversion: -

Trust: 1.0

vendor:philipsmodel:performancebridge focal pointscope:eqversion:a.01

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.03

Trust: 1.0

vendor:philipsmodel:intellivue mx850scope:eqversion: -

Trust: 1.0

sources: NVD: CVE-2020-16228

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16228
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202009-677
value: MEDIUM

Trust: 0.6

VULHUB: VHN-169285
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-16228
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-16228
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-169285
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-16228
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: LOW
exploitabilityScore: 0.9
impactScore: 5.5
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

PROBLEMTYPE DATA

problemtype:CWE-299

Trust: 1.1

sources: VULHUB: VHN-169285 // NVD: CVE-2020-16228

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

PATCH

title:Patient Information Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128120

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

EXTERNAL IDS

db:NVDid:CVE-2020-16228

Trust: 1.8

db:ICS CERTid:ICSMA-20-254-01

Trust: 1.8

db:CNNVDid:CNNVD-202009-677

Trust: 0.7

db:AUSCERTid:ESB-2020.3140

Trust: 0.6

db:VULHUBid:VHN-169285

Trust: 0.1

db:VULMONid:CVE-2020-16228

Trust: 0.1

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Trust: 2.4

url:https://www.philips.com/productsecurity

Trust: 1.0

url:https://www.auscert.org.au/bulletins/esb-2020.3140/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-16228

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/299.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-169285 // VULMON: CVE-2020-16228 // CNNVD: CNNVD-202009-677 // NVD: CVE-2020-16228

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-677

SOURCES

db:VULHUBid:VHN-169285
db:VULMONid:CVE-2020-16228
db:CNNVDid:CNNVD-202009-677
db:NVDid:CVE-2020-16228

LAST UPDATE DATE

2024-11-23T21:35:20.024000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-169285date:2020-09-15T00:00:00
db:VULMONid:CVE-2020-16228date:2020-09-15T00:00:00
db:CNNVDid:CNNVD-202009-677date:2021-09-01T00:00:00
db:NVDid:CVE-2020-16228date:2024-11-21T05:06:58.877

SOURCES RELEASE DATE

db:VULHUBid:VHN-169285date:2020-09-11T00:00:00
db:VULMONid:CVE-2020-16228date:2020-09-11T00:00:00
db:CNNVDid:CNNVD-202009-677date:2020-09-10T00:00:00
db:NVDid:CVE-2020-16228date:2020-09-11T13:15:11.377