CVE-2022-41627

{"id": "CVE-2022-41627", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 0.5}]}, "published": "2022-10-27T21:15:15.573", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "\nThe physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone\u2019s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.\n\n"}, {"lang": "es", "value": "El dispositivo f\u00edsico IoT de AliveCor's KardiaMobile, basado en un tel\u00e9fono inteligente de electrocardiograma personal (EKG), no tiene cifrado para sus protocolos de datos sobre sonido. Explotar esta vulnerabilidad podr\u00eda permitir a un atacante leer los resultados del EKG del paciente o crear una condici\u00f3n de Denegaci\u00f3n de Servicio al emitir sonidos en frecuencias similares a las del dispositivo, interrumpiendo la capacidad del micr\u00f3fono del tel\u00e9fono inteligente para leer los datos con precisi\u00f3n. Para llevar a cabo este ataque, el atacante debe estar cerca (a menos de 5 pies) para captar y emitir ondas sonoras."}], "lastModified": "2023-11-07T03:52:51.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C5ED3887-643F-430C-B2A1-CCEDBE71F2B6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EADECC1-EF47-43B5-9213-CA92945DE4A8"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EB03F4F8-687B-493D-BBEA-553831EBBA43"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A5B811-EFDF-4497-9E4C-D2D663C5A15B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "18DF9CF0-6D64-474C-A65C-5003893A5C79"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FF05B50-32FB-4BCE-9C84-BDB46CDAC1D8"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}