Lucene search

K
thnThe Hacker NewsTHN:EF08CCF54E69481550D84949A563BAD5
HistoryJul 09, 2021 - 7:00 a.m.

Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems

2021-07-0907:00:00
The Hacker News
thehackernews.com
131

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

PACS Medical Imaging Systems

Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system.

“Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted in an advisory.

The 15 flaws impact:

  • VUE Picture Archiving and Communication Systems (versions 12.2.x.x and prior),
  • Vue MyVue (versions 12.2.x.x and prior),
  • Vue Speech (versions 12.2.x.x and prior), and
  • Vue Motion (versions 12.2.1.5 and prior)

Four of the issues (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, and concern improper validation of input data as well as vulnerabilities introduced by flaws previously patched in Redis.

Another serious flaw (CVE-2021-33020, CVSS score: 8.2) is caused by the Vue platform’s use of cryptographic keys beyond their established expiration date, “which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.”

Other weaknesses involve the use of a broken or risky cryptographic algorithm (CVE-2021-33018), a cross-site scripting attack when handling user-controllable input (CVE-2015-9251), insecure methods to protect authentication credentials (CVE-2021-33024), improper or incorrect initialization of resources (CVE-2018-8014), and a failure to follow coding standards (CVE-2021-27501) that could increase the severity of the other vulnerabilities.

While Philips has addressed some of the shortcomings as part of its updates shipped in June 2020 and May 2021, the Dutch healthcare company is expected to patch the rest of the security issues in version 15 of Speech, MyVue, and PACS that’s currently in development and set for release in Q1 2022.

In the interim, CISA is urging entities to minimize network exposure for all control system devices and ensure that they are not accessible from the Internet, segment control system networks and remote devices behind firewalls, and use virtual private networks (VPNs) for secure remote access.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P