#VU16355 Security restrictions bypass in HealthSuite Health Android App
Vulnerability identifier: #VU16355
Vulnerability risk: Low
CVSSv3.1: 3.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:W/RC:C]
CVE-ID:
CWE-ID:
CWE-326
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
HealthSuite Health Android App
Mobile applications /
Apps for mobile phones
Vendor: Philips
Description
The vulnerability allows a physical attacker to bypass security restrictions on the target system.
The weakness exists due to the software uses simple encryption that is not strong enough for the level of protection required. A physical attacker can bypass security restrictions and impact confidentiality and integrity of the product.
Mitigation
A new release to mediate this vulnerability with be available during Quarter 1 of 2019.
As an interim mitigation to this vulnerability, Philips recommends the following:
Philips advises against jail-breaking or rooting mobile devices. A jail-broken or rooted device means one that is modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer. This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.
Vulnerable software versions
HealthSuite Health Android App: All versions
External links
http://ics-cert.us-cert.gov/advisories/ICSMA-18-340-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
