#VU16355 Security restrictions bypass in HealthSuite Health Android App - CVE-2018-19001
Published: December 11, 2018
Vulnerability identifier: #VU16355
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-19001
CWE-ID: CWE-326
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
HealthSuite Health Android App
HealthSuite Health Android App
Software vendor:
Philips
Philips
Description
The vulnerability allows a physical attacker to bypass security restrictions on the target system.
The weakness exists due to the software uses simple encryption that is not strong enough for the level of protection required. A physical attacker can bypass security restrictions and impact confidentiality and integrity of the product.
The weakness exists due to the software uses simple encryption that is not strong enough for the level of protection required. A physical attacker can bypass security restrictions and impact confidentiality and integrity of the product.
Remediation
A new release to mediate this vulnerability with be available during Quarter 1 of 2019.
As an interim mitigation to this vulnerability, Philips recommends the following:
Philips advises against jail-breaking or rooting mobile devices. A jail-broken or rooted device means one that is modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer. This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.