15 Philips Vue Vulnerabilities Might Lead to Full Takeover of the Devices
CISA Has Recently Informed Enterprises in an Advisory About 15 Philips Vue Vulnerabilities That Can Be Found in the Healthcare Products of Philips Vue PACS.
CISA has recently raised awareness on some issues discovered in Philips Vue PACS health devices. 15 Philips Vue Vulnerabilities located in the Philips Clinical Collaboration Platform Portal represent dangerous tools in the hands of a hacker as they could cause remote code execution cyberattacks.
What Can a Hacker Gain By Exploiting These Philips Vue Vulnerabilities?
CISA (The U.S. Cybersecurity and Infrastructure Security Agency) stated in the declaration on the matter the risk these vulnerabilities bring with them:
Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.
A Closer Look in the Philips Vue Vulnerabilities
The flaws require urgent assistance and patching, as out of 15, 4 of them have received 9.8 on the CVSS ranking (Common Vulnerability Scoring System). According to the CISA website, the found vulnerabilities were described as below in the advisory published for informative purposes:
- #1 CVE-2020-1938: 9.8 CVSS scored flaw caused by improper validation of the received data.
- #2 CVE-2018-12326 and CVE-2018-11218: the software that works through a memory buffer cannot read or write to an outside of the buffer area memory location. It can be found on the Redis component.
- #3 CVE-2020-4670: scored with 9.8 CVSS, it’s caused by improper authentication. The Redis Software cannot assert the validity of the threat actor’s given identity claim.
- #4 CVE-2018-8014: the default set by the software is not secure (it’s intended to be modified by the administrator).
- #5 CVE-2021-33020: expired passwords and cryptographic keys the product uses lead to increasing the timing window.
- #6 CVE-2018-10115: it exists in the third-party component 7-Zip. Incorrect initialization of the resource leads to unexpected status.
- #7 CVE-2021-27501: specific development coding rules are not implemented by the software.
- #8 CVE-2021-33018: a damaged algorithm of cryptography might lead to data leakage.
- #9 CVE-2021-27497: the protection mechanism is not properly used by the product.
- #10 CVE-2012-1708: it lies in the third-party Oracle Database component and is related to data integrity.
- #11 CVE-2015-9251: user-controllable input is not correctly neutralized before locating it in output.
- #12 CVE-2021-27493: structured data or messages are not ensured in a proper way.
- #13 CVE-2019-9636: the Unicode encoding from the input is not accurately managed by the software.
- #14 CVE-2021-33024: the method to protect authentication credentials is insecure.
- #15 CVE-2021-33022: the communication channel through which sensitive data is transmitted might be sniffed.
What Philips Vue Devices Are Impacted?
It was reported that the impacted devices are Vue Speech 12.2 and previous variants, Vue Motion and Philips Vue PACS, MyVue.
What Can Be Done Against These Philips Vue Vulnerabilities?
CISA declared that some of them were patched, but others will not receive security updates earlier than 2022.
According to SCMagazine, a good measure would be to reduce the network connection of the devices. Remote devices and control system networks should be handled by administrators, these must isolate them from the company’s network and locate them behind firewalls. However, if these appliances with Philips Vue vulnerabilities should be used remotely, this is not recommended to be done without a secure connection such as an updated VPN.
The update of the antivirus in the ICS environment and is another good practice.