Cyber security awareness specialists reported the finding at least 8 vulnerabilities in some patient monitoring devices developed by Philips. According to the report, the exploitation of these flaws would allow unauthorized access, interrupted monitoring and collection of patient data information.
Products affected by these flaws are listed below:
- Patient Information Center iX (PICiX), versions B.02, C.02, C.03
- PerformanceBridge Focal Point version A.01
- IntelliVue MX100, MX400-MX850, and MP2-MP90, versions N and later
- IntelliVue X3 and X2 versions N and later
Below are brief reviews of the reported vulnerabilities, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-16214: The software stores user-supplied information in a comma-separated values (CSV) file, but incorrectly neutralizes special elements that could be interpreted as a command when the file is opened with spreadsheet software, cyber security awareness experts mention.
This flaw received a score of 4.2/10.
CVE-2020-16218: The software incorrectly neutralizes user-controllable input before it is placed on the output which is then used as a website and served to other users, which could lead to unauthorized access to patient data. The flaw received a score of 3.5/10.
CVE-2020-16222: The software cannot verify the user’s identity correctly, so the system is exposed to threat actors. The vulnerability received a score of 5/10, mentioned by cyber security awareness experts.
CVE-2020-16228: The software incorrectly checks the revocation status of a certificate, which can cause it to use a compromised certificate. The vulnerability received a score of 6.0/10.
CVE-2020-16224: Vulnerable software can parse a formatted structure or message, but does not properly handle a length field, which results in an arbitrary reboot on the target system.
The vulnerability received a score of 6.5/10.
CVE-2020-16220: The product receives an entry of an appropriate format, but does not incorrectly validate or validate that the entry complies with the correct syntax, which causes the certificate enrollment service to fail, making it difficult to enroll new devices. The flaw received a score of 3.4/10.
CVE-2020-16216: Incorrect validation of data received by the affected system could lead to a denial of service (DoS) condition through a system restart. This vulnerability received a score of 6.5/10.
CVE-2020-16212: The product exposes a recourse to the wrong sphere of control, providing threat actors with the resources to access the system improperly. The vulnerability received a score of 5.8/10.
Philips acknowledged the flaws after receiving the report, announcing that the required patches would be released as soon as possible. Updates are now available, so affected deployment administrators should urge them immediately.