ICS-CERT’s Advisory on 9 Philips E-Alert Units Vulnerabilities

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a statement concerning nine vulnerabilities identified in Philips healthcare products upon the Amsterdam-based technology firm statement of the matter to the National Cybersecurity & Communications Integration Center (NCCIC).

ICS-CERT by now gave four announcements (which include this) in the last month. Earlier advisories include the cybersecurity vulnerabilities in its core patient monitoring system

  • Philips IntelliVue Information Center iX – 1 vulnerability
  • Philips PageWriter Cardiographs – 2 vulnerabilities
  • Philips IntelliSpace Cardiovascular cardiac image and information management software – 2 vulnerabilities

There were nine vulnerabilities found in the most recent announcement regarding Philips eAlert devices – These are non-medical instruments that keep tabs on imaging systems including MRI equipment to track down concerns fast well before they escalate. Healthcare facilities worldwide utilize these devices.

One vulnerability is graded critical, five are ranked high severity, and three are ranked medium severity. In case an attacker on a similar subnet take advantage of the flaws, he/she may possibly acquire user contact information, endanger unit reliability/availability, granted unforeseen input into the program and execute arbitrary codes, replacing display unit data or making the unit to crash. The vulnerabilities have an effect on all models of the application, which include R2.1.

The following details the vulnerabilities based on severity:
CVE-2018-8856 (CWE-798) – Hard-Coded Credentials having CVSS v3 rating of 9.8
A hard-coded cryptographic key is existing in the program which is employed for internal information encryption.

CVE-2018-8842 (CWE-319) – Cleartext Transmission of Sensitive Data having CVSS v3 rating of 7.5
Sensitive and security-critical information which are transmitted in cleartext can be intercepted by unauthorized people to see the data. Considering the unencrypted Philips e-Alert transmission channel, individual contact data and software login details may be accessed from inside the same subnet.

CVE-2018-8854 (CWE-400) – Uncontrolled Resource Consumption having CVSS v3 rating of 7.5
The size or volume of resources asked for or impacted by an actor aren’t adequately confined, which may be employed to consume a lot more resources than planned.

CVE-2018-8850 (CWE-20) – Wrong Input Validation having CVSS v3 rating of 7.1
Wrong validation of input which would enable a malicious actor to write input in a format not anticipated by the software. Sections of the unit may be given unintentional input likely bringing about modified control flow, arbitrary resource regulation, or arbitrary execution of program code.

CVE-2018-8846 (CWE-79) – Incorrect Neutralization of Input While Generating a Web Page having CVSS v3 rating of 7.1
The software is not able to neutralize or wrongly neutralizes user-managed input just before putting in output that is employed as a webpage which is later provided to other users.

CVE-2018-8848 (CWE-276) – Wrong Default Permissions having CVSS v3 rating of 7.1
If the application is installed, wrong permissions are established for an object which reveals it to an unintended user.

CVE-2018-8844 (CWE-352) – Cross-Site Request Forgery having CVSS v3 rating of 6.8
The internet software does not efficiently validate whether or not a well-formed, legit, consistent request was purposefully furnished by the user who sent in the request.

CVE-2018-8852 (CWE-384) – Session Fixation having CVSS v3 rating of 6.4
If validating a user or setting up a new user session, a hacker is granted a chance to grab authenticated sessions without the active session identifier being invalidated

CVE-2018-14803 (CWE-200) – Data Exposure having CVSS v3 rating of 5.3
This is a banner exposure vulnerability that may enable a hacker to acquire product details including the OS and software program components by way of the HTTP response header that will not be generally accessible to an attacker.

Four vulnerabilities were resolved with the release of R2.1 (CVE-2018-8842, CVE-2018-8850, CVE-2018-8856, CVE-2018-8852) and the other five vulnerabilities (CVE-2018-8854, CVE-2018-8848, CVE-2018-8846, CVE-2018-8844, CVE-2018-14803) will be resolved with a software update at year end.

Users of insecure units ought to be sure to update to software program version R2.1 which will fix four of the vulnerabilities, this includes the critical hard-coded credential vulnerability.

Philips likewise advises users to carry out the following measures to lessen the likelihood for exploitation of the five other vulnerabilities until the next application update is readily available:

  • Be sure that network security guidelines are executed, and
  • Control network access to e-Alert as per product documentation.
About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA