CVE-2017-11578 - OpenCVE

It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Blipcare	Wi-fi Blood Pressure Monitor Wi-fi Blood Pressure Monitor Firmware

Configuration 1 [-]

AND

cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html	Third Party Advisory VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf	Exploit Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-02T20:33:14

Updated: 2019-07-02T20:33:34

Reserved: 2017-07-23T00:00:00

Link: CVE-2017-11578

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-02T21:15:09.870

Modified: 2019-07-15T13:10:30.407

Link: CVE-2017-11578

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-06-07T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-02T20:33:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11578", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20190609 Newly releases IoT security issues", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"name": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"name": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf", "refsource": "MISC", "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11578", "datePublished": "2019-07-02T20:33:14", "dateReserved": "2017-07-23T00:00:00", "dateUpdated": "2019-07-02T20:33:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFBC8640-C65D-4A08-90C9-1DEAEE598C91", "versionEndIncluding": "bp700_10.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB414505-7BE8-463E-B036-16B53ADED4AA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack."}, {"lang": "es", "value": "Se detect\u00f3 como parte de la investigaci\u00f3n sobre dispositivos IoT en el firmware m\u00e1s reciente para el dispositivo Blipcare, que el dispositivo permite conectarse a la interfaz de administraci\u00f3n web en una conexi\u00f3n no SSL usando el protocolo HTTP de texto plano. El usuario utiliza la interfaz de administraci\u00f3n web del dispositivo para proveer las credenciales Wi-Fi del usuario para que el dispositivo pueda conectarse a \u00e9l y tener acceso a Internet. Este dispositivo act\u00faa como un monitor de presi\u00f3n Sangu\u00ednea Inal\u00e1mbrico y es usado para medir los niveles de presi\u00f3n sangu\u00ednea de una persona. Esto permite a un atacante que est\u00e1 conectado a la red inal\u00e1mbrica del dispositivo Blipcare poder espiar f\u00e1cilmente estos valores mediante un ataque de tipo MITM."}], "id": "CVE-2017-11578", "lastModified": "2019-07-15T13:10:30.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-02T21:15:09.870", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}