The vulnerability CVE-2019-13546 was discovered in the Philips IntelliSpace Perinatal obstetrics data management system.
This vulnerability is remotely exploitable by a user of an authorized remote desktop session host application or a person that could physically access a locked application screen. An attacker with a low level of skill could exploit this vulnerability that is affecting IntelliSpace Perinatal Versions K and prior versions. The vulnerability has an assigned CVSS v3 base score of 6.1, which is a medium severity.
An attacker that exploits this vulnerability could escape the containment of the application and get access to resources through the Windows operating system as a restricted-access Windows user. Once this access had been obtained, the attacker can possibly get administrator level privileges to the operating system. The attacker could also perform software and view, remove or update files, directories, and modify the system settings. This can undermine the integrity, confidentiality, and availability of the application and system. In case of installation of the Document Export (DOX) function on the application server, the protected health information (PHI) may also be vulnerable to exposure.
Brian Landrum of Coalfire LABS identified the vulnerability and reported it to Philips. With the Philips’ Coordinated Vulnerability Disclosure Policy, the company issued an advisory to increase awareness of the vulnerability and let users employ mitigating controls to avoid exploitation.
Philips is evaluating if it could correct the vulnerability in the next product update, which is due to be issued before 2020 ends. Meanwhile, Philips has provided information about mitigations that may be carried out to minimize the possibility of exploitation. Users of the obstetrics information management system can avail of the mitigation information from Philips InCenter and the US-CERT website. There will also be an update on the product documentation to include specifics of the mitigations.