SB2018082016 - Security restrictions bypass vulnerabilities in Philips PageWriter
Published: August 20, 2018
Security Bulletin ID
SB2018082016
CSH Severity
Low
Patch available
NO
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2018-14799)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local unauthenticated attacker to bypass security restrictions on the target system.
The weakness exists due to boundary error or format string when handling malicious input. A local attacker can supply specially crafted data and trigger memory corruption to access and modify settings on the device.
2) Use of hardcoded credentials (CVE-ID: CVE-2018-14801)
CWE-ID: CWE-798 - Use of Hard-coded Credentials
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a physical attacker with superuser privileges to bypass security restrictions on the target system.
The weakness exists due to use of hardcoded credentials. A physical attacker can enter the superuser password that can be used to access and modify all settings on the device, as well as to reset existing passwords.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.