There are 5 vulnerabilities with low- to medium-severity discovered in the Philips Clinical Collaboration Platform (Vue PACS). An attacker could exploit the vulnerability and influence an authorized user to perform unauthorized activities or disclose data that may be employed in other attacks.
Philips hasn’t gotten any report that suggests the development of exploits for the vulnerabilities or its usage in actual attacks. There is also no report of incidents received from healthcare providers connected with the vulnerabilities.
The vulnerabilities impact platform versions 12.2.1 and earlier versions. The severity ranges from CVSS v3 base score of 3.4 or low to CVSS v3 base score of 6.8 or medium.
1. Vulnerability CVE-2020-16200 with CVSS base score of 6.8 occurs when the resource is exposed to the incorrect control sphere and enables an attacker to get unauthorized access to the resource.
2. Vulnerability CVE-2020-16247 with CVSS base score of 6.5 involves an algorithm downgrade. It involves a failure to manage the allocation and upkeep of a limited resource, possibly resulting in the depletion of available resources.
3. Vulnerability CVE-2020-16198 with CVSS base score of 5.0 involves a protection mechanism failure. It occurs when there’s an inability or inadequacy to check and confirm the identity provided by an attacker to make sure that the claim is right.
4. Vulnerability CVE-2020-14525 with CVSS base score of 3.5 involves poor neutralization of script in attributes on a website page. It arises from the inability to neutralize or improperly neutralize user-controllable input prior to putting it in output on a website that is made available to other users.
5. Vulnerability CVE-2020-14506 with CVSS base score of 3.4 arises when the input or data provided did not undergo sufficient checks to make sure the input possesses the attributes to permit the safe and correct processing of data.
In June 2020, Philips issued a patch for the web version of the Clinical Collaboration Platform (Version 126.96.36.199) to fixe the two low-severity vulnerabilities CVE-2020-14506 and CVE-2020-14525.
In May 2020, Philips launched the latest version of the Vue PACS Clinical Collaboration Platform (Version 12.2.5) that fixed the four vulnerabilities CVE-2020-16198, CVE-2020-14506, CVE-2020-14525, and CVE-2020-16247.
There is no patch for the last vulnerability CVE-2020-16200. Manual intervention is necessary to avoid exploitation. Customers affected by the vulnerabilities should get in touch with Philips Customer Support to obtain guidance in fixing the vulnerability.
Philips additionally endorses these mitigations:
- Apply physical security procedures to restrict or control critical systems access.
- Only allow authorized personnel to access systems and implement a least privilege strategy.
- Implement defense-in-depth strategies.
- Deactivate accounts and services that are not needed.
Northridge Hospital Medical Center discovered the vulnerabilities and reported them to Philips. Philips issued a security notice and informed appropriate authorities regarding the vulnerabilities in compliance with the Coordinated Vulnerability Disclosure Policy.