The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multiple Critical Vulnerabilities Affect Philips Vue PACS Products

Posted By on Jul 7, 2021

Multiple vulnerabilities have been identified in Philips Vue PACS products, including 5 critical flaws with a 9.8 severity rating and 4 high severity flaws.

Some of the vulnerabilities can be exploited remotely and there is a low attack complexity. Successful exploitation of the flaws would allow an unauthorized to gain system access, eavesdrop, view and modify data, execute arbitrary code, install unauthorized software, or compromise system integrity and gain access to sensitive data or negatively affect the availability of the system.

The vulnerabilities were recently reported to CISA by Philips and affect the following Philips Vue PACS products:

  • Vue PACS: Versions 12.2.x.x and prior
  • Vue MyVue: Versions 12.2.x.x and prior
  • Vue Speech: Versions 12.2.x.x and prior
  • Vue Motion: Versions 12.2.1.5 and prior

Critical Vulnerabilities

  • CVE-2020-1938 – Improper validation of input to ensure safe and correct data processing, potentially allowing remote code execution – (CVSS v3 9.8/10)
  • CVE-2018-12326 – Buffer overflow issue in Redis third-party software allowing code execution and escalation of privileges – (CVSS v3 9.8/10)
  • CVE-2018-11218 – Memory corruption vulnerability in Redis software – (CVSS v3 9.8/10)
  • CVE-2020-4670 – Improper authentication issue within the Redis software component – (CVSS v3 9.8/10)
  • CVE-2018-8014 – Default settings for the CORS filter are not secure – (CVSS v3 9.8/10)

High Severity Vulnerabilities

  • CVE-2021-33020 – Use of a cryptographic key past its expiration date – (CVSS v3 8.2/10)
  • CVE-2018-10115 – Incorrect initialization logic of RAR decoder objects in 7-Zip potentially allowing denial of service or remote execution of code via a specially crafted RAR file – (CVSS v3 7.8/10)
  • CVE-2021-27501 – Failure to follow coding rule for development – (CVSS v3 7.5/10)
  • CVE-2021-33022 -Transmission of sensitive/security-critical data in cleartext – (CVSS v3 7.5/10)

Medium Severity Vulnerabilities

  • CVE-2021-33018 – Use of a broken or risky cryptographic algorithm – (CVSS v3 6.5/10)
  • CVE-2021-27497 – Failure of mechanism that protects against direct attacks – (CVSS v3 6.5/10)
  • CVE-2012-1708 – Oracle Database vulnerability that could affect data integrity – (CVSS v3 6.5/10).
  • CVE-2015-9251 – Cross site scripting vulnerability due to improper neutralization of user-controllable input – (CVSS v3 6.1/10)
  • CVE-2021-27493 – Failure to ensure structured messages or data are well formed and security properties are met – (CVSS v3 6.1/10)
  • CVE-2019-9636 – Improper handling of input containing Unicode encoding – (CVSS v3 5.3/10)

Low Severity Vulnerability

  • CVE-2021-33024 – Insecure method of transmission/storage of authentication credentials- (CVSS v3 3.7/10)

Mitigations

Philips recommends Philips configuring the Vue PACS environment per D00076344 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Philips has already corrected some of the vulnerabilities in versions 12.2.1.5 (MyVue/Vue Motion), Version 12.2.8.0 (Vue Speech), and Version 12.2.8.0 (Vue PACS), including 4 of the 5 critical flaws.

Version 15 of the software will be released in Q1, 2022 to correct the remaining vulnerabilities in PACS, Speech, MyVue.

Full details are available here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist