Share this article on:
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory over vulnerabilities affecting certain Phillips IntelliVue Patient and Avalon Fetal monitors.
Three vulnerabilities have been identified by Phillips and communicated to ICS-CERT: Two have been rated high and one medium.
If successfully exploited, an attacker could read/write memory and introduce a denial of service through a system restart. Exploitation of the flaws could cause a delay in the diagnosis and treatment of patients.
- IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M;
- IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only);
- Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3
CWE-0287 – Improper Authentication Vulnerability
After gaining LAN access, an unauthenticated individual could exploit the vulnerability to gain access to the memory (write-what-where) on a chosen device within the same subnet.
CWE-200 – Information Exposure Vulnerability
Exploitation of this vulnerability could allow an unauthenticated attacker could read the memory of a chosen device within the same subnet.
CWE-121 – Stack-Based Buffer Overload Vulnerability
Exploitation of the vulnerability would expose an echo service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is copied to the stack with no boundary checks, hence resulting in stack overflow.
Phillips disclosed the vulnerabilities under its Co-ordinated Vulnerability Disclosure Policy. An advisory was proactively issued to allow users of the affected products to take action to prevent the vulnerabilities from being exploited.
Phillips notes that the vulnerabilities cannot be exploited remotely and require a malicious actor to first gain LAN access to the medical devices. Also, these vulnerabilities require a considerable degree of technical expertise to exploit.
No public exploits for the vulnerabilities have been detected and there have been no reports of any exploitation of the vulnerabilities in the wild.
Phillips is working on a patch to address all three issues on IntelliVue software Revisions J-M and Avalon software Revisions G.0 and J.3 in 2018. For non-supported versions, Phillips will provide an update-path to get users upgraded to a supported version. Users of unsupported versions should contact their Phillips sales representative for further information.
In the meantime, users of the affected products can take the following steps to reduce the potential for exploitation of the vulnerabilities:
- IntelliVue Monitors – Follow instructions for use in the Security for Clinical Networks Guide and update to Revision K.2 or newer software.
- Avalon Fetal Monitors Release G.0 and Release J.3 – Follow the Data Privacy and Network Security Requirements in the installation and service manual.
- Avalon Fetal Monitors Release F.0 – Follow the instructions as documented in the Rev J.3 Service Guide Data Privacy and Network Security Requirements section.
- Implement physical security access controls to restrict access to the devices to authorized users, as detailed in the Philips Security for Clinical Networks guide and the IntelliVue Clinical Networks Configuration Guide.
- Implement logical security access controls to prevent the devices from communicating outside the Phillips clinical network.
- Locate all vulnerable devices behind firewalls and isolate them from the business network.
- Ensure the devices are not accessible over the Internet.