CVE-2017-14018 - OpenCVE

An improper authentication issue was discovered in Johnson & Johnson Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can be bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability.

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ethicon	Endo-surgery Generator Gen11 Endo-surgery Generator Gen11 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ethicon:endo-surgery_generator_gen11_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ethicon:endo-surgery_generator_gen11:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/101978	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01	US Government Resource Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-12-05T23:00:00

Updated: 2017-12-06T10:57:01

Reserved: 2017-08-30T00:00:00

Link: CVE-2017-14018

JSON object: View

NVD Information

Status : Modified

Published: 2017-12-05T23:29:00.217

Modified: 2019-10-09T23:23:44.407

Link: CVE-2017-14018

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "Ethicon Endo-Surgery Generator G11", "vendor": "n/a", "versions": [{"status": "affected", "version": "Ethicon Endo-Surgery Generator G11"}]}], "datePublic": "2017-12-05T00:00:00", "descriptions": [{"lang": "en", "value": "An improper authentication issue was discovered in Johnson & Johnson Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can be bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-12-06T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "101978", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101978"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-14018", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ethicon Endo-Surgery Generator G11", "version": {"version_data": [{"version_value": "Ethicon Endo-Surgery Generator G11"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An improper authentication issue was discovered in Johnson & Johnson Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can be bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287"}]}]}, "references": {"reference_data": [{"name": "101978", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101978"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-14018", "datePublished": "2017-12-05T23:00:00", "dateReserved": "2017-08-30T00:00:00", "dateUpdated": "2017-12-06T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ethicon:endo-surgery_generator_gen11_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "41BE40E0-3AE7-498C-BEE9-F9B8886A0FC4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ethicon:endo-surgery_generator_gen11:-:*:*:*:*:*:*:*", "matchCriteriaId": "F123F258-704F-47C6-9089-5BC358649C03", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An improper authentication issue was discovered in Johnson & Johnson Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can be bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability."}, {"lang": "es", "value": "Se ha descubierto un problema de autenticaci\u00f3n indebida en Johnson Ethicon Endo-Surgery Generator Gen11, en todas las versiones lanzadas antes del 29 de noviembre de 2017. El mecanismo de autenticaci\u00f3n de seguridad empleado en Ethicon Endo-Surgery Generator Gen11 y en productos de uso para un solo paciente puede omitirse, permitiendo que dispositivos sin autorizaci\u00f3n se conecten al generador. Esto puede resultar en una p\u00e9rdida de integridad o disponibilidad."}], "id": "CVE-2017-14018", "lastModified": "2019-10-09T23:23:44.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-05T23:29:00.217", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101978"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource", "Third Party Advisory"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}