Serious Flaws Found in Philips Patient Monitoring Devices
8.6.2018 securityweek ICS
Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available.
A total of three flaws were identified by Medigate in Philips IntelliVue patient monitors (MP and MX series) and Avalon fetal monitoring systems (FM20, FM30, FM40 and FM50). Advisories describing the issues have been published by Medigate, Philips and ICS-CERT.
The most serious of them, based on its CVSS score of 8.3, allows an unauthenticated attacker to access memory and write to the memory of a targeted device. A similar flaw allows an unauthenticated attacker to read memory, but this issue has been assigned a severity rating of “medium.”Vulnerabilities found in Philips fetal monitoring system
Another high severity vulnerability is related to the devices exposing an “echo” service that can be leveraged by an attacker to cause a stack-based buffer overflow.
“The vulnerabilities allow a remote unauthenticated attacker to write memory on the device, which may allow remote code execution. Successful exploitation could open up a window for an attacker to read and/or write to the memory, which in turn could lead to a denial of service to the monitor, a breach of patient health information (PHI), as well as harm the integrity of the patient data,” Medigate said.
Philips expects to release patches in the second and third quarters of 2018. In the meantime, users have been advised to consult security and network configuration guides provided by the company to mitigate the risk.
“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities,” Philips said in its advisory.
The company also pointed out that exploiting these flaws requires “significant technical knowledge and skill,” and access to the local area network (LAN) hosting the affected devices.
Earlier this year, Philips informed customers that dozens of vulnerabilities affected the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.