High Severity Vulnerabilities Identified in Philips Tasy EMR

Share this article on:

Two high severity vulnerabilities have been identified in the Philips Tasy EMR that could allow sensitive patient data to be extracted from the database. The vulnerabilities can be exploited remotely, there is a low attack complexity, and exploits for the vulnerabilities are in the public domain.

Philips says the vulnerabilities affect Tasy EMR HTML5 3.06.1803 and prior versions, with the affected products used primarily in South and Central America. The vulnerabilities were identified and publicly disclosed by a security researcher who did not follow responsible disclosure protocols and failed to coordinate with Philips.

The two flaws are both SQL injection vulnerabilities that have been assigned a CVSS v3 severity score of 8.8 out of 10. Both are due to improper neutralization of special elements in SQL commands.

The first flaw, tracked as CVE-2021-39375, allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. The second, tracked as CVE-2021-39376, allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.

By exploiting the flaws, a remote attacker could expose patient data, extract information from the database, or trigger a denial-of-service condition.

Philips says it reported the vulnerabilities to CISA and has fixed both vulnerabilities in Tasy EMR HTML5 to Version 3.06.1804. All healthcare providers using a vulnerable version of the EMR system should update to version 3.06.1804. or later as soon as possible to prevent exploitation. Prior to upgrading to the latest version, CISA recommends performing an impact analysis and risk assessment.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On