Share this article on:
8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges.
The vulnerabilities affect the following Philips patient monitoring devices:
- Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
- PerformanceBridge Focal Point Version A.01
- IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
- IntelliVue X3 and X2 Versions N and prior
CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw.
CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it to be handled safely. Exploitation could trigger a denial of service condition through a system restart.
CVE-2020-16224 – CVSS 6.5/10 – Moderate Severity. When the software parses a formatted message or structure, it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. This could trigger a restart of the surveillance station resulting in interrupted monitoring.
CVE-2020-16228 – CVSS 6.0/10 – Moderate Severity. The software incorrectly checks the revocation status of a certificate, potentially allowing a compromised certificate to be used.
CVE-2020-16222 – CVSS 5.0/10 – Moderate Severity. When individuals claim to have a particular identity, there is insufficient authentication to prove the identity of that individual, potentially allowing unauthorized access to data.
CVE-2020-16214 – CVSS 4.2/10 – Moderate Severity. User-provided information is saved into a CSV file, but since special elements are not correctly neutralized, they could be interpreted as a command when the CSV file is opened using spreadsheet software.
CVE-2020-16218 – CVSS 3.5/10 – Low Severity. The product incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Exploitation could give an attacker read-only access to patient data.
CVE-2020-16220 – CVSS 3.5/10 – Low Severity. Product does not validate or incorrectly validates input to ensure it complies with the syntax, which could be exploited to cause the service to crash.
The vulnerabilities were identified by security researchers at ERNW Research GmbH, ERNW Enno, and Rey Netzwerke GmbH who reported the flaws to Philips. Philips reported the flaws to CISA and other government agencies under the company’s coordinated vulnerability disclosure policy.
There have been no reported cases of any of the vulnerabilities being exploited in the wild. Updates will be issued starting in 2020; however, in the meantime Philips recommends the following mitigations to make it harder for the vulnerabilities to be exploited:
- Physically or logically isolate the devices from the hospital local area network (LAN).
- Implement access control lists that restrict access in and out of the patient monitoring network for only necessary ports and IP addresses.
- Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.
- Enter a unique password of 8-12 unpredictable and randomized digits when enrolling new devices using SCEP
- Physically secure the devices to prevent unauthorized login attempts and ensure servers are located in locked data centers.
- Control access to patient monitors at nurses’ stations
- Block remote access to PIC iX servers if not required, and if remote access is necessary, only grant remote access on a must-have basis
- Apply the principle of least privilege and only allow access to bedside monitors to trusted users.
Users should contact their local or regional Philips service support teams for further information on updating the affected patient monitoring devices and applying mitigating measures.