Vulnerability identified in Philips Ultrasound Systems
Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls.
The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk.
The flaw affects the following Philips Ultrasound Systems:
- Ultrasound ClearVue Versions 3.2 and prior
- Ultrasound CX Versions 5.0.2 and prior
- Ultrasound EPIQ/Affiniti Versions VM5.0 and prior
- Ultrasound Sparq Version 3.0.2 and prior and
- Ultrasound Xperius all versions
The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update.
Users of all other affected systems will have to wait until Q4, 2020 for an update to be released. Philips will correct the flaw in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 release in Q4 2020.
In the meantime, as an interim measure, Philips recommends users ensure their services providers guarantee device integrity during service and repair operations. It is also advisable to implement physical security measures to prevent unauthorized access to the devices.