SB2018083105 - Multiple vulnerabilities in Philips e-Alert Unit
Published: August 31, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2018-8850)
The disclosed vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to insufficient input validation. A remote attacker can craft the input in a form that is not expected by the rest of the application, cause parts of the unit to receive unintended input, trigger altered control flow, arbitrary control of a resource, or execute arbitrary code.
2) Information disclosure (CVE-ID: CVE-2018-8842)
The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to the software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. A remote attacker can disclose personal contact information and application login credentials from within the same subnet.
3) Use of hard-coded cryptographic key (CVE-ID: CVE-2018-8856)
The disclosed vulnerability allows a remote attacker to gain elevated privileges.
The vulnerability exists due use of hard-coded cryptographic key. A remote attacker can encrypt internal data and gain elevated privileges.
4) Session hijacking (CVE-ID: CVE-2018-8852)
The disclosed vulnerability allows a remote attacker to session fixation attack.
The vulnerability exists due the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. A remote attacker can steal authenticated sessions.
Remediation
Install update from vendor's website.