CVE-2021-42744 - OpenCVE

Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Philips	Mri 1.5t Firmware Mri 3t Firmware Mri 3t Mri 1.5t

Configuration 1 [-]

AND

cpe:2.3:o:philips:mri_1.5t_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:mri_1.5t:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:philips:mri_3t_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:philips:mri_3t:-:*:*:*:*:*:*:*

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01	Third Party Advisory US Government Resource
https://www.usa.philips.com/healthcare/about/customer-support/product-security	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2021-11-19T18:36:49

Updated: 2021-11-19T18:36:49

Reserved: 2021-11-11T00:00:00

Link: CVE-2021-42744

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-19T19:15:09.147

Modified: 2022-08-09T14:42:01.877

Link: CVE-2021-42744

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "MRI 1.5T", "vendor": "Philips", "versions": [{"status": "affected", "version": "All 5.x.x"}]}, {"product": "MRI 3T", "vendor": "Philips", "versions": [{"status": "affected", "version": "5.x.x"}]}], "credits": [{"lang": "en", "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."}], "descriptions": [{"lang": "en", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-19T18:36:49", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"tags": ["x_refsource_MISC"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}], "source": {"advisory": "ICSMA-21-313-01", "discovery": "EXTERNAL"}, "title": "Philips MRI 1.5T and 3T Information Exposure", "workarounds": [{"lang": "en", "value": "Philips plans a new release to remediate these vulnerabilities by October 2022. As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-42744", "STATE": "PUBLIC", "TITLE": "Philips MRI 1.5T and 3T Information Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MRI 1.5T", "version": {"version_data": [{"version_affected": "=", "version_name": "All", "version_value": "5.x.x"}]}}, {"product_name": "MRI 3T", "version": {"version_data": [{"version_affected": "=", "version_value": "5.x.x"}]}}]}, "vendor_name": "Philips"}]}}, "credit": [{"lang": "eng", "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security", "refsource": "MISC", "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}]}, "source": {"advisory": "ICSMA-21-313-01", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Philips plans a new release to remediate these vulnerabilities by October 2022. As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."}]}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-42744", "datePublished": "2021-11-19T18:36:49", "dateReserved": "2021-11-11T00:00:00", "dateUpdated": "2021-11-19T18:36:49", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:mri_1.5t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B195E6-DBA3-44A1-ACD4-4961F62C0B5C", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:mri_1.5t:-:*:*:*:*:*:*:*", "matchCriteriaId": "27C345BC-B71C-4EA3-A7FD-07354F2D9375", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:mri_3t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6E28B57-F160-4463-A019-01C016729B87", "versionEndExcluding": "6.0.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:mri_3t:-:*:*:*:*:*:*:*", "matchCriteriaId": "D61A1A34-1132-47AC-9BBB-06537D59C9FA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive information to an actor not explicitly authorized to have access."}, {"lang": "es", "value": "Philips MRI 1.5T y MRI 3T versi\u00f3n 5.x.x, expone informaci\u00f3n confidencial a un actor no autorizado expl\u00edcitamente a tener acceso"}], "id": "CVE-2021-42744", "lastModified": "2022-08-09T14:42:01.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-11-19T19:15:09.147", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}