CVE-2017-11580

CVE-2017-11580 is a medium-severity vulnerability in Blipcare Wi-fi Blood Pressure Monitor Firmware with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-399.

Key facts

Description

Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. Presumably this happens as the memory footprint provided to this device is very small. According to the specs from Rezolt, the Wi-Fi module only has 256k of memory. As a result, an incorrect string copy operation using either memcpy, strcpy, or any of their other variants could result in filling up the memory space allocated to the function executing and this would result in memory corruption. To test the theory, one can modify the demo application provided by the Cypress WICED SDK and introduce an incorrect "memcpy" operation and use the compiled application on the evaluation board provided by Cypress semiconductors with exactly the same Wi-Fi SOC. The results were identical where the device would completely stop responding to any of the ping or web requests.

Frequently asked questions

What is CVE-2017-11580?
Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. Presumably this happens as the memory footprint provided to this device is very small. According to the specs from Rezolt, the Wi-Fi module only has 256k of memory. As a result, an incorrect string copy operation using either memcpy, strcpy, or any of their other variants could result in filling up the memory space allocated to the function executing and this would result in memory corruption. To test the theory, one can modify the demo application provided by the Cypress WICED SDK and introduce an incorrect "memcpy" operation and use the compiled application on the evaluation board provided by Cypress semiconductors with exactly the same Wi-Fi SOC. The results were identical where the device would completely stop responding to any of the ping or web requests.
How severe is CVE-2017-11580?
CVE-2017-11580 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2017-11580 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (70th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2017-11580?
CVE-2017-11580 affects Blipcare Wi-fi Blood Pressure Monitor Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2017-11580?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2017-11580 published?
CVE-2017-11580 was published on 2019-07-02 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Blipcare Wi-fi Blood Pressure Monitor Firmware

All CVEs affecting Blipcare Wi-fi Blood Pressure Monitor Firmware →

Other CWE-399 (Resource Management Errors) vulnerabilities

Browse all CWE-399 (Resource Management Errors) vulnerabilities →