Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data.
The following versions of the patient monitoring devices are affected:
3.2.1 IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.
CVE-2020-16214 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.
CVE-2020-16218 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
3.2.3 IMPROPER AUTHENTICATION CWE-287
In Patient Information Center iX (PICiX) Version B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01, when an actor claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.
CVE-2020-16222 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
3.2.4 IMPROPER CHECK FOR CERTIFICATE REVOCATION CWE-299
In Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior, the software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate.
CVE-2020-16228 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L).
3.2.5 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130
In Patient Information Center iX (PICiX) Versions C.02, C.03, the software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart.
CVE-2020-16224 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.6 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286
In Patient Information Center iX (PICiX) Versions C.02, C.03, PerformanceBridge Focal Point Version A.01, the product receives input that is expected to be well-formed (i.e., to comply with a certain syntax) but it does not validate or incorrectly validates that the input complies with the syntax, causing the certificate enrollment service to crash. It does not impact monitoring but prevents new devices from enrolling.
CVE-2020-16220 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
In IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior, the product receives input or data but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly, which can induce a denial-of-service condition through a system restart.
CVE-2020-16216 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.8 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
CVE-2020-16212 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.
Note: To successfully exploit these vulnerabilities, an attacker would need to gain either physical access to surveillance stations and patient monitors or access to the medical device network.
Philips released the following versions to remediate reported vulnerabilities:
As a mitigation to these vulnerabilities, Philips recommends the following:
Users with questions regarding their specific Philips Patient Information Center (PIC iX) and/or IntelliVue patient monitor installations and new release eligibility should contact their local Philips service support team, or regional service support, or call 1-800-722-9377.
Please see the Philips product security website for the Philips advisory and the latest security information for Philips products.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16212
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16214
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16216
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16218
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16220
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16222
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16224
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16228
cwe.mitre.org/data/definitions/1236.html
cwe.mitre.org/data/definitions/1286.html
cwe.mitre.org/data/definitions/130.html
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/299.html
cwe.mitre.org/data/definitions/668.html
cwe.mitre.org/data/definitions/79.html
github.com/cisagov/CSAF
incenter.medical.philips.com/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Philips%20Patient%20Monitoring%20Devices%20%28Update%20C%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-254-01
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/resources-tools/resources/ics-recommended-practices
www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-254-01&title=Philips%20Patient%20Monitoring%20Devices%20%28Update%20C%29
www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-254-01
www.oig.dhs.gov/
www.philips.com/productsecurity
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-254-01
www.usa.gov/
www.usa.philips.com/healthcare/solutions/customer-service-solutions
www.usa.philips.com/healthcare/solutions/customer-service-solutions
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Philips%20Patient%20Monitoring%20Devices%20%28Update%20C%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-20-254-01