Security researchers reported several vulnerabilities in Philips Clinical Collaboration Platform Portal.
Vulnerabilities in Philips Clinical Collaboration Platform Portal
The vulnerabilities, 15 in total, could be used to take control of medical devices. According to an official CISA advisory, the flaws can be exploited remotely in attacks with low complexity.
In terms of risk evaluation, “successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.”
What is the Philips Clinical Collaboration Platform Portal, known as Vue PACS? Shortly said, the platform is a healthcare clinical analytics solution. Affected are the following versions of the product:
- Vue PACS: Versions 12.2.x.x and prior
- Vue MyVue: Versions 12.2.x.x and prior
- Vue Speech: Versions 12.2.x.x and prior
- Vue Motion: Versions 220.127.116.11 and prior
Here is a list of the vulnerabilities, as per the official CISA advisory:
- CVE-2020-1938, which could lead to improper input validation;
- CVE-2018-12326 and CVE-2018-11218, or improper restriction of operations with the bounds of a memory buffer;
- CVE-2020-4670, which causes improper authentication;
- CVE-2018-8014, or insecure default initialization of resource;
- CVE-2021-33020, or use of a key past its expiration date;
- CVE-2018-10115, or improper initialization issues;
- CVE-2021-27501, or improper adherence to coding standards;
- CVE-2021-33018, or the use of risky cryptographic algorithm;
- CVE-2021-27497, or issues related to protection mechanism failures;
- CVE-2012-1708 which causes data integrity issues;
- CVE-2015-9251 which causes cross site scripting issues;
- CVE-2021-27493 which can lead to improper neutralization;
- CVE-2019-9636, or improper handling of Unicode coding;
- CVE-2021-33024 which could lead to insufficiently protected credentials;
- CVE-2021-33022 which could cause cleartext transmission of sensitive information.
It is noteworthy that Philips reported all the issues to the Cybersecurity and Infrastructure Agency (CISA). Lastly, there are no known public exploits based on any of the vulnerabilities.