ID

VAR-202009-0602


CVE

CVE-2020-16212


TITLE

Patient Information Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

DESCRIPTION

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03. Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior

Trust: 1.08

sources: NVD: CVE-2020-16212 // VULHUB: VHN-169268 // VULMON: CVE-2020-16212

AFFECTED PRODUCTS

vendor:philipsmodel:patient information center ixscope:eqversion:c.03

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.02

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:b.02

Trust: 1.0

sources: NVD: CVE-2020-16212

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16212
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202009-673
value: MEDIUM

Trust: 0.6

VULHUB: VHN-169268
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-16212
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-16212
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-169268
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-16212
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

PROBLEMTYPE DATA

problemtype:CWE-668

Trust: 1.1

sources: VULHUB: VHN-169268 // NVD: CVE-2020-16212

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

PATCH

title:Patient Information Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128116

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

EXTERNAL IDS

db:ICS CERTid:ICSMA-20-254-01

Trust: 1.8

db:NVDid:CVE-2020-16212

Trust: 1.8

db:CNNVDid:CNNVD-202009-673

Trust: 0.7

db:AUSCERTid:ESB-2020.3140

Trust: 0.6

db:VULHUBid:VHN-169268

Trust: 0.1

db:VULMONid:CVE-2020-16212

Trust: 0.1

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Trust: 2.4

url:https://www.philips.com/productsecurity

Trust: 1.0

url:https://www.auscert.org.au/bulletins/esb-2020.3140/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-16212

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/668.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

SOURCES

db:VULHUBid:VHN-169268
db:VULMONid:CVE-2020-16212
db:CNNVDid:CNNVD-202009-673
db:NVDid:CVE-2020-16212

LAST UPDATE DATE

2024-11-23T21:35:20.133000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-169268date:2020-09-15T00:00:00
db:VULMONid:CVE-2020-16212date:2020-09-15T00:00:00
db:CNNVDid:CNNVD-202009-673date:2021-09-01T00:00:00
db:NVDid:CVE-2020-16212date:2024-11-21T05:06:56.843

SOURCES RELEASE DATE

db:VULHUBid:VHN-169268date:2020-09-11T00:00:00
db:VULMONid:CVE-2020-16212date:2020-09-11T00:00:00
db:CNNVDid:CNNVD-202009-673date:2020-09-10T00:00:00
db:NVDid:CVE-2020-16212date:2020-09-11T14:15:11.377