CVE-2017-11579

In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network "Blip" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware.

CVSS v3 7.1 HIGH
CVSS v2.0 4.8 MEDIUM

7.1^/10

CVSS v3 : HIGH

Vector : AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability : 2.8 / Impact : 4.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 6.5 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html	Third Party Advisory VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf	Exploit Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-07-02 21:15

Updated : 2024-02-04 20:20

NVD link : CVE-2017-11579

Mitre link : CVE-2017-11579

CVE.ORG link : CVE-2017-11579

JSON object : View

Products Affected

blipcare

wi-fi_blood_pressure_monitor_firmware
wi-fi_blood_pressure_monitor

CWE

CWE-254

7PK - Security Features

{"id": "CVE-2017-11579", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2019-07-02T21:15:09.930", "references": [{"url": "http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-254"}]}], "descriptions": [{"lang": "en", "value": "In the most recent firmware for Blipcare, the device provides an open Wireless network called \"Blip\" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network \"Blip\" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware."}, {"lang": "es", "value": "En el firmware m\u00e1s reciente para Blipcare, el dispositivo provee una red inal\u00e1mbrica abierta llamada \"Blip\" para comunicarse con el dispositivo. El usuario se conecta a esta red inal\u00e1mbrica abierta y utiliza la interfaz de administraci\u00f3n web del dispositivo para proporcionar las credenciales de Wi-Fi del usuario para que el dispositivo pueda conectarse a \u00e9l y tener acceso a Internet. Este dispositivo act\u00faa como un monitor de presi\u00f3n Sangu\u00ednea Inal\u00e1mbrico y es usado para medir los niveles de presi\u00f3n sangu\u00ednea de una persona. Esto permite a un atacante que est\u00e9 cerca de la se\u00f1al inal\u00e1mbrica generada por el dispositivo Blipcare poder espiar f\u00e1cilmente las credenciales. Adicionalmente, un atacante puede conectarse a la red inal\u00e1mbrica abierta \"Blip\" expuesta por el dispositivo y modificar la respuesta HTTP presentada al usuario mediante el dispositivo para ejecutar otros ataques, tales como convencer al usuario de descargar y ejecutar un binario malicioso que infectar\u00eda con malware a un ordenador o dispositivo m\u00f3vil del usuario."}], "lastModified": "2019-07-15T13:29:10.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFBC8640-C65D-4A08-90C9-1DEAEE598C91", "versionEndIncluding": "bp700_10.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BB414505-7BE8-463E-B036-16B53ADED4AA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}