NVD Vulnerability Detail

CVE-2017-11580

Summary	Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. Presumably this happens as the memory footprint provided to this device is very small. According to the specs from Rezolt, the Wi-Fi module only has 256k of memory. As a result, an incorrect string copy operation using either memcpy, strcpy, or any of their other variants could result in filling up the memory space allocated to the function executing and this would result in memory corruption. To test the theory, one can modify the demo application provided by the Cypress WICED SDK and introduce an incorrect "memcpy" operation and use the compiled application on the evaluation board provided by Cypress semiconductors with exactly the same Wi-Fi SOC. The results were identical where the device would completely stop responding to any of the ping or web requests.
Publication Date	July 3, 2019, 6:15 a.m.
Registration Date	Jan. 26, 2021, 1:13 p.m.
Last Update	Nov. 21, 2024, 12:08 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:blipcare:wi-fi_blood_pressure_monitor_firmware::::::::			bp700_10.1
execution environment
1	cpe:2.3:h:blipcare:wi-fi_blood_pressure_monitor:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html	Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.html	Third Party Advisory VDB Entry
3	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf	Exploit Third Party Advisory
4	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf	Exploit Third Party Advisory
5	https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory
6	https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-399	リソース管理の問題	https://cwe.mitre.org/data/definitions/399.html

JVN Vulnerability Information

Blipcare Wifi blood pressure monitor デバイスにおけるリソース管理に関する脆弱性

Title	Blipcare Wifi blood pressure monitor デバイスにおけるリソース管理に関する脆弱性
Summary	Blipcare Wifi blood pressure monitor デバイスには、リソース管理に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	July 23, 2017, midnight
Registration Date	July 17, 2019, 2:01 p.m.
Last Update	July 17, 2019, 2:01 p.m.

Affected System

Blipcare

Wifi blood pressure monitor ファームウェア BP700 10.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-11580	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11580
National Vulnerability Database (NVD)
2	CVE-2017-11580	https://nvd.nist.gov/vuln/detail/CVE-2017-11580

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
Blipcare
1	Wi-Fi Blood Pressure Monitor	http://www.blipcare.com/blip-bp.html

その他

No	Name	URL
関連文書
1	IoT_vulnerabilities/Blipcare_sec_issues.pdf	https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdf

Change Log

No	Changed Details	Date of change
1	[2019年07月17日] 掲載	July 17, 2019, 2:01 p.m.