ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

ICS-CERT has issued an advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device.

The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions.

The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3.

An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw would allow an attacker to execute arbitrary code and escalate privileges. The vulnerability has been assigned a CVSS v3 severity score of 4.2 (medium).

Philips discovered the vulnerabilities and self-reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

The improper privilege management vulnerability has been addressed in version 3.1 of IntelliSpace Cardiovascular software. Any user running IntelliSpace Cardiovascular version 2.x or prior versions or Xcelera V4.1 or prior versions should contact their Philips service support team to receive information on how they can upgrade to version 3.1.

Philips will be addressing the unquoted search path or element vulnerability in the next release of IntelliSpace Cardiovascular – V3.2 – which has been scheduled for release in October 2018. Until that point, interim mitigations can be implemented to reduce the potential for the vulnerability to be exploited. Philips suggests reviewing file permission policies and restricting available permissions where possible.

Several vulnerabilities have been identified in the IntelliSpace suite of products in recent months. In March 2018, ICS-CERT issued a warning about several vulnerabilities affecting all versions of iSite and IntelliSpace PACS, some of which were assigned a CVSS v3 severity score of 10 – The maximum score possible. If exploited the vulnerabilities could compromise patient confidentiality, system integrity, and/or system availability.

In February, ICS-CERT issued a warning about a slew of vulnerabilities in the IntelliSpace Portal that were assigned severity scores ranging from 3.1 to 8.1. In total, 35 vulnerabilities were detected, some of which could be exploited remotely and allowed remote code execution.

In January, a warning was issued about an insufficient session expiration vulnerability in IntelliSpace Cardiovascular that was assigned a CVSS v3 score of 6.7. Exploiting the vulnerability would require only a low skill level. If exploited, an attacker could gain access to sensitive patient information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.