Risk | Low |
Patch available | NO |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-19001 |
CWE-ID | CWE-326 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
HealthSuite Health Android App Mobile applications / Apps for mobile phones |
Vendor | Philips |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU16355
Risk: Low
CVSSv3.1: 3.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:W/RC:C]
CVE-ID: CVE-2018-19001
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to bypass security restrictions on the target system.
The weakness exists due to the software uses simple encryption that is not strong enough for the level of protection required. A physical attacker can bypass security restrictions and impact confidentiality and integrity of the product.
A new release to mediate this vulnerability with be available during Quarter 1 of 2019.
As an interim mitigation to this vulnerability, Philips recommends the following:
Philips advises against jail-breaking or rooting mobile devices. A jail-broken or rooted device means one that is modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer. This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.
Vulnerable software versionsHealthSuite Health Android App: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSMA-18-340-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.