ID

VAR-202009-0606


CVE

CVE-2020-16220


TITLE

Patient Information Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202009-675

DESCRIPTION

In Patient Information Center iX (PICiX) Versions C.02, C.03, PerformanceBridge Focal Point Version A.01, the product receives input that is expected to be well-formed (i.e., to comply with a certain syntax) but it does not validate or incorrectly validates that the input complies with the syntax, causing the certificate enrollment service to crash. It does not impact monitoring but prevents new devices from enrolling. A vulnerability exists in Patient Information. The vulnerability stems from special elements that may be interpreted as commands when spreadsheet software opens the file. The following products and versions are affected: B.02, C.02, C.03. Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior

Trust: 1.08

sources: NVD: CVE-2020-16220 // VULHUB: VHN-169277 // VULMON: CVE-2020-16220

AFFECTED PRODUCTS

vendor:philipsmodel:performancebridge focal pointscope:eqversion:a.01

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.03

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:c.02

Trust: 1.0

vendor:philipsmodel:patient information center ixscope:eqversion:b.02

Trust: 1.0

sources: NVD: CVE-2020-16220

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16220
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202009-675
value: MEDIUM

Trust: 0.6

VULHUB: VHN-169277
value: LOW

Trust: 0.1

VULMON: CVE-2020-16220
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-16220
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-169277
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-16220
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-169277 // VULMON: CVE-2020-16220 // CNNVD: CNNVD-202009-675 // NVD: CVE-2020-16220

PROBLEMTYPE DATA

problemtype:CWE-1286

Trust: 1.0

sources: NVD: CVE-2020-16220

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202009-675

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-675

PATCH

title:Patient Information Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128118

Trust: 0.6

sources: CNNVD: CNNVD-202009-675

EXTERNAL IDS

db:NVDid:CVE-2020-16220

Trust: 1.8

db:ICS CERTid:ICSMA-20-254-01

Trust: 1.8

db:CNNVDid:CNNVD-202009-675

Trust: 0.7

db:AUSCERTid:ESB-2020.3140

Trust: 0.6

db:VULHUBid:VHN-169277

Trust: 0.1

db:VULMONid:CVE-2020-16220

Trust: 0.1

sources: VULHUB: VHN-169277 // VULMON: CVE-2020-16220 // CNNVD: CNNVD-202009-675 // NVD: CVE-2020-16220

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Trust: 2.4

url:https://www.philips.com/productsecurity

Trust: 1.0

url:https://www.auscert.org.au/bulletins/esb-2020.3140/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-16220

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/1286.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-169277 // VULMON: CVE-2020-16220 // CNNVD: CNNVD-202009-675 // NVD: CVE-2020-16220

CREDITS

in the context of the BSI project ManiMed (Manipulation of medical devices), Germany,Julian Suleder, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Dr. Oliver Matula of ERNW Enno, which reported these to Philips., Nils Emmerich, Birk Kauer of ERNW Research GmbH

Trust: 0.6

sources: CNNVD: CNNVD-202009-675

SOURCES

db:VULHUBid:VHN-169277
db:VULMONid:CVE-2020-16220
db:CNNVDid:CNNVD-202009-675
db:NVDid:CVE-2020-16220

LAST UPDATE DATE

2024-11-23T21:35:20.048000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-169277date:2020-09-15T00:00:00
db:VULMONid:CVE-2020-16220date:2020-09-15T00:00:00
db:CNNVDid:CNNVD-202009-675date:2021-09-01T00:00:00
db:NVDid:CVE-2020-16220date:2024-11-21T05:06:57.817

SOURCES RELEASE DATE

db:VULHUBid:VHN-169277date:2020-09-11T00:00:00
db:VULMONid:CVE-2020-16220date:2020-09-11T00:00:00
db:CNNVDid:CNNVD-202009-675date:2020-09-10T00:00:00
db:NVDid:CVE-2020-16220date:2020-09-11T14:15:11.503