CVE-2018-8857

Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) contains fixed credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. An attacker could compromise these credentials and gain access to the system.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/104088	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-123-01	Third Party Advisory US Government Resource
https://www.usa.philips.com/healthcare/about/customer-support/product-security	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:philips:brilliance_firmware_64:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:brilliance_64:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:philips:brilliance_ict_sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:brilliance_ict_sp:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:philips:brilliance_ict_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:brilliance_ict:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:philips:_brilliance_ct_big_bore_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:_brilliance_ct_big_bore:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-05-04 17:29

Updated : 2019-10-09 23:42

NVD link : CVE-2018-8857

Mitre link : CVE-2018-8857

CVE.ORG link : CVE-2018-8857

JSON object : View

Products Affected

philips

brilliance_ict
brilliance_ict_sp_firmware
brilliance_64
_brilliance_ct_big_bore_firmware
_brilliance_ct_big_bore
brilliance_ict_firmware
brilliance_ict_sp
brilliance_firmware_64

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2018-8857", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2018-05-04T17:29:00.503", "references": [{"url": "http://www.securityfocus.com/bid/104088", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-123-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security", "tags": ["Vendor Advisory"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) contains fixed credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. An attacker could compromise these credentials and gain access to the system."}, {"lang": "es", "value": "El software de Philips Brilliance CT (Brilliance 64 en versiones 2.6.2 y anteriores, Brilliance iCT en versiones 4.1.6 y anteriores, Brilliance iCT SP en versiones 3.2.4 y anteriores y Brilliance CT Big Bore 2.3.5 y anteriores) contiene credenciales fijas, como una contrase\u00f1a o clave criptogr\u00e1fica, que emplea para su propia autenticaci\u00f3n entrante, comunicaciones salientes a componentes externos o el cifrado de datos internos. Un atacante podr\u00eda comprometer estas credenciales y obtener acceso al sistema."}], "lastModified": "2019-10-09T23:42:57.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:philips:brilliance_firmware_64:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E298132-F9D0-4BB8-9100-BEFEF59E92BA", "versionEndIncluding": "2.6.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:philips:brilliance_64:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B75466BA-22B4-49E3-A5AB-DD4E19C752C1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:philips:brilliance_ict_sp_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3660331E-679A-4E55-9D74-7794833650FB", "versionEndIncluding": "3.2.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:philips:brilliance_ict_sp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ECC2680D-DCB1-48E6-9F44-A6D35D973DD9"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:philips:brilliance_ict_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2178E64D-018C-4AAC-9E4D-6671FECCCD2B", "versionEndIncluding": "4.1.6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:philips:brilliance_ict:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "54867DDB-FAAE-452A-9406-963ED07934C2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:philips:_brilliance_ct_big_bore_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2510AB7E-EBF6-41D3-9345-39A264695A84", "versionEndIncluding": "2.3.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:philips:_brilliance_ct_big_bore:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CE132B50-01A4-4AEB-A18D-28DDAF51830E"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}