Share this article on:
Multiple vulnerabilities have been identified in Philips Vue PACS products, including 5 critical flaws with a 9.8 severity rating and 4 high severity flaws.
Some of the vulnerabilities can be exploited remotely and there is a low attack complexity. Successful exploitation of the flaws would allow an unauthorized to gain system access, eavesdrop, view and modify data, execute arbitrary code, install unauthorized software, or compromise system integrity and gain access to sensitive data or negatively affect the availability of the system.
The vulnerabilities were recently reported to CISA by Philips and affect the following Philips Vue PACS products:
- Vue PACS: Versions 12.2.x.x and prior
- Vue MyVue: Versions 12.2.x.x and prior
- Vue Speech: Versions 12.2.x.x and prior
- Vue Motion: Versions 220.127.116.11 and prior
- CVE-2020-1938 – Improper validation of input to ensure safe and correct data processing, potentially allowing remote code execution – (CVSS v3 9.8/10)
- CVE-2018-12326 – Buffer overflow issue in Redis third-party software allowing code execution and escalation of privileges – (CVSS v3 9.8/10)
- CVE-2018-11218 – Memory corruption vulnerability in Redis software – (CVSS v3 9.8/10)
- CVE-2020-4670 – Improper authentication issue within the Redis software component – (CVSS v3 9.8/10)
- CVE-2018-8014 – Default settings for the CORS filter are not secure – (CVSS v3 9.8/10)
High Severity Vulnerabilities
- CVE-2021-33020 – Use of a cryptographic key past its expiration date – (CVSS v3 8.2/10)
- CVE-2018-10115 – Incorrect initialization logic of RAR decoder objects in 7-Zip potentially allowing denial of service or remote execution of code via a specially crafted RAR file – (CVSS v3 7.8/10)
- CVE-2021-27501 – Failure to follow coding rule for development – (CVSS v3 7.5/10)
- CVE-2021-33022 -Transmission of sensitive/security-critical data in cleartext – (CVSS v3 7.5/10)
Medium Severity Vulnerabilities
- CVE-2021-33018 – Use of a broken or risky cryptographic algorithm – (CVSS v3 6.5/10)
- CVE-2021-27497 – Failure of mechanism that protects against direct attacks – (CVSS v3 6.5/10)
- CVE-2012-1708 – Oracle Database vulnerability that could affect data integrity – (CVSS v3 6.5/10).
- CVE-2015-9251 – Cross site scripting vulnerability due to improper neutralization of user-controllable input – (CVSS v3 6.1/10)
- CVE-2021-27493 – Failure to ensure structured messages or data are well formed and security properties are met – (CVSS v3 6.1/10)
- CVE-2019-9636 – Improper handling of input containing Unicode encoding – (CVSS v3 5.3/10)
Low Severity Vulnerability
- CVE-2021-33024 – Insecure method of transmission/storage of authentication credentials- (CVSS v3 3.7/10)
Philips recommends Philips configuring the Vue PACS environment per D00076344 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.
Philips has already corrected some of the vulnerabilities in versions 18.104.22.168 (MyVue/Vue Motion), Version 22.214.171.124 (Vue Speech), and Version 126.96.36.199 (Vue PACS), including 4 of the 5 critical flaws.
Version 15 of the software will be released in Q1, 2022 to correct the remaining vulnerabilities in PACS, Speech, MyVue.