Details of VAR-202009-0602

ID

VAR-202009-0602

CVE

CVE-2020-16212

TITLE

Patient Information Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

DESCRIPTION

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03. Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior

Trust: 1.08

sources: NVD: CVE-2020-16212 // VULHUB: VHN-169268 // VULMON: CVE-2020-16212

AFFECTED PRODUCTS

vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.03	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	c.02	Trust: 1.0
vendor:	philips	model:	patient information center ix	scope:	eq	version:	b.02	Trust: 1.0

sources: NVD: CVE-2020-16212

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-16212
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202009-673
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-169268
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-16212
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-16212
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-169268
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-16212
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

PROBLEMTYPE DATA

problemtype:

CWE-668

Trust: 1.1

sources: VULHUB: VHN-169268 // NVD: CVE-2020-16212

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

PATCH

title:

Patient Information Security vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128116

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

EXTERNAL IDS

db:	ICS CERT	id:	ICSMA-20-254-01	Trust: 1.8
db:	NVD	id:	CVE-2020-16212	Trust: 1.8
db:	CNNVD	id:	CNNVD-202009-673	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3140	Trust: 0.6
db:	VULHUB	id:	VHN-169268	Trust: 0.1
db:	VULMON	id:	CVE-2020-16212	Trust: 0.1

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01	Trust: 2.4
url:	https://www.philips.com/productsecurity	Trust: 1.0
url:	https://www.auscert.org.au/bulletins/esb-2020.3140/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-16212	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/668.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-169268 // VULMON: CVE-2020-16212 // CNNVD: CNNVD-202009-673 // NVD: CVE-2020-16212

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-673

SOURCES

db:	VULHUB	id:	VHN-169268
db:	VULMON	id:	CVE-2020-16212
db:	CNNVD	id:	CNNVD-202009-673
db:	NVD	id:	CVE-2020-16212

LAST UPDATE DATE

2024-08-14T13:43:56.052000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-169268	date:	2020-09-15T00:00:00
db:	VULMON	id:	CVE-2020-16212	date:	2020-09-15T00:00:00
db:	CNNVD	id:	CNNVD-202009-673	date:	2021-09-01T00:00:00
db:	NVD	id:	CVE-2020-16212	date:	2023-12-12T19:15:07.597

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-169268	date:	2020-09-11T00:00:00
db:	VULMON	id:	CVE-2020-16212	date:	2020-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202009-673	date:	2020-09-10T00:00:00
db:	NVD	id:	CVE-2020-16212	date:	2020-09-11T14:15:11.377