Share this article on:
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a further advisory about Philips healthcare devices after nine vulnerabilities were self-reported to the National Cybersecurity & Communications Integration Center (NCCIC) by the Amsterdam-based technology company.
This is the fourth advisory issued by ICS-CERT in the past month. Previous advisories have been issued over cybersecurity vulnerabilities in its central patient monitoring system – Philips IntelliVue Information Center iX (1 vulnerability), Philips PageWriter Cardiographs (2 vulnerabilities), and Philips IntelliSpace Cardiovascular cardiac image and information management software (2 vulnerabilities).
The latest advisory concerns nine vulnerabilities discovered in Philips eAlert units – These are non-medical devices that monitor imaging systems such as MRI machines to identify issues rapidly before they escalate. The devices are used by healthcare providers around the world.
One of the vulnerabilities is rated critical, five are high severity, and three are medium severity. If exploited, an attacker on the same subnet could potentially obtain user contact details, compromise unit integrity/availability, provided unexpected input into the application and execute arbitrary code, altering display unit information or causing the device to crash. The vulnerabilities affect all versions of the software, including R2.1.
In order of severity, the vulnerabilities are:
CVE-2018-8856 (CWE-798) – Hard-Coded Credentials – CVSS v3 score: 9.8
A hard-coded cryptographic key is present in the software which is used for the encryption of internal data.
CVE-2018-8842 (CWE-319) – Cleartext Transmission of Sensitive Information – CVSS v3 score: 7.5
Sensitive and security-critical data are transmitted in cleartext which could be intercepted by individuals unauthorized to view the information. Since the Philips e-Alert communication channel is not encrypted, personal contact information and application login credentials could be obtained from within the same subnet.
CVE-2018-8854 (CWE-400) – Uncontrolled Resource Consumption – CVSS v3 score: 7.5
The size or amount of resources requested or influenced by an actor are not properly restricted, which can be used to consume more resources than intended.
CVE-2018-8850 (CWE-20) – Improper Input Validation – CVSS v3 score: 7.1
Improper validation of input that would allow an attacker to craft input in a form not expected by the application. Parts of the unit could receive unintended input potentially resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.
CVE-2018-8846 (CWE-79) – Improper Neutralization of Input During Web Page Generation – CVSS v3 score: 7.1
The software fails to neutralize or improperly neutralizes user-controlled input before being placed in output that is used as a web page which is subsequently served to other users.
CVE-2018-8848 (CWE-276) – Incorrect Default Permissions – CVSS v3 score: 7.1
When the software is installed, incorrect permissions are set for an object that exposes it to an unintended actor.
CVE-2018-8844 (CWE-352) – Cross-Site Request Forgery – CVSS v3 score: 6.8
The web application does not adequately verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CVE-2018-8852 (CWE-384) – Session Fixation – CVSS v3 score: 6.4
When authenticating a user or establishing a new user session, an attacker is given an opportunity to steal authenticated sessions without invalidating any existing session identifier.
CVE-2018-14803 (CWE-200) – Information Exposure – CVSS v3 score: 5.3
This is a banner disclosure vulnerability that could allow an attacker to gain product information such as the OS and software components via the HTTP response header which would normally not be available to an attacker.
Four of the vulnerabilities have been addressed with the release of R2.1 (CVE-2018-8842, CVE-2018-8856, CVE-2018-8850, CVE-2018-8852) and the remaining five vulnerabilities (CVE-2018-8854, CVE-2018-8846, CVE-2018-8848, CVE-2018-14803, CVE-2018-8844) will be addressed with a software update which has been planned for the end of the year.
Users of vulnerable devices should ensure that they have upgraded to software version R2.1 which will address four of the vulnerabilities, including the critical hard-coded credential flaw.
Philips also recommends users take the following actions as an immediate mitigation to reduce the potential for exploitation of the five remaining flaws until the next software update is released:
- Ensure that network security best practices are implemented, and
- Limit network access to e-Alert in accordance with product documentation.