CVE-2017-9657
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Under specific 802.11 network conditions, a partial re-association of the Philips IntelliVue MX40 Version B.06.18 WLAN monitor to the central monitoring station is possible. In this state, the central monitoring station can indicate the MX40 is not connected or associated to the central monitor, and thus should be operating in local monitoring mode (local audio-on, screen-on), but the MX40 WLAN itself can instead still be operating in telemetry mode (local audio-off, screen-off). If a patient experiences an alarm event and clinical staff expects the MX40 to provide local alarming when it is not available from the local device, a delay of treatment can occur. CVSS v3 base score: 6.5, CVSS vector string: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips has released software update, Version B.06.18, to fix the improper cleanup on thrown exception vulnerability, and implement mitigations to reduce the risk associated with the improper handling of exceptional conditions vulnerability. The software update implements messaging and alarming on the MX40 and at the central monitoring station, when the MX40 disconnects from the access point.
Bajo condiciones especiales de la red 802.11, es posible realizar una reasociación parcial del monitor WLAN Philips IntelliVue MX40 B.06.18 con la estación central de monitorización. En este estado, la estación central de monitorización puede indicar que el MX40 no está conectado o asociado al monitor central y, por lo tanto, debería estar funcionando en modo de monitorización local (local audio-on, screen-on), pero el propio MX40 WLAN podría seguir funcionando en modo telemetría (local audio-off, screen-off). Si un paciente experimenta un evento de alarma y el personal clínico espera que MX40 proporcione una alarma local cuando no está disponible desde el dispositivo local, el tratamiento podría demorarse. Puntuación base de CVSS v3: 6.5, cadena de vector CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Philips ha lanzado una actualización de software, la versión B.06.18, para solucionar la vulnerabilidad de limpieza indebida de excepción lanzada. Además, también ha implementado mitigaciones para reducir el riesgo asociado con la vulnerabilidad de gestión incorrecta de condiciones excepcionales. La actualización de software implementa mensajes y alarmas en el MX40 y en la estación central de monitorización cuando el MX40 se desconecta del punto de acceso.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-06-14 CVE Reserved
- 2018-04-30 CVE Published
- 2023-10-31 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-460: Improper Cleanup on Thrown Exception
- CWE-755: Improper Handling of Exceptional Conditions
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100813 | Third Party Advisory | |
| https://ics-cert.us-cert.gov/advisories/ICSMA-17-255-01 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.usa.philips.com/healthcare/about/customer-support/product-security | 2019-10-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Philips Search vendor "Philips" | Intellivue Mx40 Firmware Search vendor "Philips" for product "Intellivue Mx40 Firmware" | < b.06.18 Search vendor "Philips" for product "Intellivue Mx40 Firmware" and version " < b.06.18" | - |
Affected
| in | Philips Search vendor "Philips" | Intellivue Mx40 Search vendor "Philips" for product "Intellivue Mx40" | - | - |
Safe
|