Vulnerability Identified in Philips IntelliSpace Perinatal Information Management System

A vulnerability has been identified in the Philips IntelliSpace Perinatal obstetrics information management system.

The vulnerability – CVE-2019-13546 – could be exploited remotely by an authorized remote desktop session host application user or by an individual with physical access to a locked application screen. The vulnerability affects IntelliSpace Perinatal Versions K and earlier and requires a low level of skill to exploit. The flaw has been assigned a CVSS v3 base score of 6.1 out of 10 (medium severity).

Exploitation of the vulnerability would allow an attacker to break out of the containment of the application and access resources from the Windows operating system as the limited-access Windows user. If an attacker used exploits for vulnerabilities in Windows once access to the operating system had been achieved, the attacker could potentially elevate operating system privileges to administrator level.

Once access to the operating system has been achieved, an attacker could execute software and view, update or delete files, directories, and alter the system configuration. This could compromise the confidentiality, integrity, and availability of the system and application. If the Document Export (DOX) function has been installed on the application server, protected health information would also be at risk of exposure.

The vulnerability was identified by Brian Landrum of Coalfire LABS who reported it to Philips. Under the Philips’ Coordinated Vulnerability Disclosure Policy, an advisory was issued to raise awareness of the flaw and allow users to implement mitigating controls to prevent exploitation.

Philips is assessing whether the vulnerability can be corrected in the next product update, which is scheduled to be released at the end of 2020. In the meantime, Philips has issued guidance on mitigations that can be implemented to reduce the potential for exploitation, which are available to users of the obstetrics information management system through Philips InCenter and on the US-CERT website. Product documentation will also be updated to include details of the mitigations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.