- Medtronic Criticized for Lax Medical Device Security Response
- Medical Device Security Requires Collaborative Action from Industry
- Patient Safety Concerns Driving Medical Device Security Investment
The Philips e-Alert sensor-based tool measures environmental factors against thresholds, triggering an alert if a key MRI parameter diverges from a predefined value. Alerts are sent by email, text message, and/or as part of a local alarm system.
Exploiting the improper input validation vulnerability, an attacker could craft the input in a form that is not expected by the rest of the application, which could result in altered control flow, arbitrary control of a resource, or arbitrary code execution. A CVSS vulnerability score of 7.1 (high) has been calculated for this vulnerability (CVE-2018-8850).
For the cross-site scripting vulnerability, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output, which is used as a web page served to other users. A CVSS score of 7.1 (high) has been calculated for this security issue (CVE-2019-8846)
In the case of the information exposure issue, an attacker could obtain extraneous product information, such as operating system and software components, using the HTTP response header that might be useful in an attack. A CVSS score of 5.3 (medium) has been calculated for this security problem (CVE-2018-14803).
For the incorrect default permissions vulnerability, the software, upon installation, sets incorrect permissions for an object that exposes it to an attacker. A CVSS score of 7.1 (high) has been calculated for this vulnerability (CVE-2018-8848).
In the case of the cleartext transmission of sensitive information vulnerability, the software transmits sensitive data in cleartext in a communication channel that can be sniffed by attackers, who could steal personal contact information and application login credentials. A CVSS score of 7.5 (high) has been calculated for this security problem (CVE-2018-8842).
For the cross-site request forgery issue, the web application does not sufficiently verify whether a well-formed, valid, and consistent request was intentionally provided by the user who submitted the request. A CVSS score of 6.8 (medium) has been calculated for this vulnerability (CVE-2018-8844).
Exploiting the session fixation vulnerability, an attacker could steal authenticated sessions without invalidating any existing session identifier. A CVSS score of 6.4 (medium) has been calculated for this vulnerability (CVE-2018-8852).
In the case of the resource exhaustion vulnerability, the software does not properly restrict the size or amount of resources requested or influenced by a user, which can be used to consume more resources than intended. A CVSS score of 7.5 (high) has been calculated for this vulnerability (CVE-2018-8854).
And the use of hard-coded credentials, because they are easy to guess, an attacker could compromise the credentials and gain access to the system. A CVSS score of 9.8 (critical) has been calculated for this vulnerability (CVE-2019-8856).
In June, Philips released Version R2.1 to fix the remediate cleartext transmission of sensitive information, improper input validation, use of hard-coded credentials, and session fixation vulnerabilities.
The company plans another product software update for the end of 2018 that fixes the resource exhaustion, cross-site scripting, incorrect default permissions, information exposure, and cross-site request forgery vulnerabilities.
As an immediate fix for the vulnerabilities on the local area network, Philips recommended that users ensure that network security best practices are implemented and limit network access to e-Alert in accordance with product documentation.
August has been a busy month for vulnerability disclosures in Philips medical devices.
ICS-CERT warned about vulnerabilities in Philips IntelliVue Information Center iX central patient monitoring system, which could result in the operating system becoming unresponsive due to a network attack, Philips’ PageWriter Cardiograph devices, which could allow attackers to modify settings, and Philips' IntelliSpace Cardiovascular cardiac image and information management system, which enable attackers to escalate privileges on the ISCV server and carry any command they wanted.