Philips found an authentication bypass issue affecting Philips Ultrasound Systems. An attacker can potentially manipulate this problem to access or modify data. The vulnerability is set off by the existence of an optional path or way that could be used to elude authentication controls.
The vulnerability is labeled as CVE-2020-14477. This is considered as low severity vulnerability with a 3.6 out of 10 designated CVSS v3 base score. An attacker could exploit the vulnerability if there is local access to a vulnerable system. It’s not possible to exploit the vulnerability remotely. Additionally, there’s no risk to patient safety in case of exploitation of this vulnerability.
The following Philips Ultrasound Systems are affected by vulnerability CVE-2020-14477:
- Ultrasound Sparq Version 3.0.2 and prior versions
- Ultrasound Xperius all versions
- Ultrasound ClearVue Versions 3.2 and prior versions
- Ultrasound CX Versions 5.0.2 and prior versions
- Ultrasound EPIQ/Affiniti Versions VM5.0 and prior versions
The vulnerability has been resolved for the Ultrasound EPIQ/Affiniti systems VM6.0 release. Users who have these systems must contact their Philips support agent for additional details on installation updates.
Users of other affected systems need to wait for the release of an update in the fourth quarter of 2020. Philips will take care of the vulnerability in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 in the fourth quarter of 2020.
For now, as an interim safety precaution, Philips advises users to ask their service providers to take a look at device integrity whenever completing service and repair procedures. It is also advisable to enforce physical security procedures to keep unauthorized individuals from getting access to the devices.