Security restrictions bypass in Philips HealthSuite Health Android App

1) Security restrictions bypass

EUVDB-ID: #VU16355

Risk: Low

CVSSv3.1: 3.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:W/RC:C]

CVE-ID: CVE-2018-19001

CWE-ID: CWE-326 - Inadequate Encryption Strength

Exploit availability: No

Description

The vulnerability allows a physical attacker to bypass security restrictions on the target system.

The weakness exists due to the software uses simple encryption that is not strong enough for the level of protection required. A physical attacker can bypass security restrictions and impact confidentiality and integrity of the product.

Mitigation

A new release to mediate this vulnerability with be available during Quarter 1 of 2019.

As an interim mitigation to this vulnerability, Philips recommends the following:

Philips advises against jail-breaking or rooting mobile devices. A jail-broken or rooted device means one that is modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer. This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.

Vulnerable software versions

HealthSuite Health Android App: All versions

External links

http://ics-cert.us-cert.gov/advisories/ICSMA-18-340-01

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.