Serious vulnerabilities in Philips medical devices

Share this…

Advanced hacking skills are not necessary to exploit the flaw

Several remote code execution vulnerabilities have been found on Philips devices designed to generate cardiovascular imaging, report experts in cybersecurity.

According to a security advisory from the US Department of Homeland Security‘s Computer Emergency Readiness Team, the first vulnerability, tracked as CVE-2018-14787, affecting IntelliSpace Cardiovascular and Xcelera IntelliSpace Cardiovascular (ISCV), both Philips developments.

The notice mentions that the vulnerability only requires “basic hacking ability” to be exploited, and is caused by improper management.

In ISCV software version 2.x or earlier, and Xcelera version 4.1 or earlier, an attacker is able to access folders on the system that might have executables that provide the attacker with authentication to overwrite the system. “Successful exploitation of these vulnerabilities could grant an attacker with local access and user privileges to the ISCV server or Xcelera to execute arbitrary code”.

The second vulnerability, CVE-2018-14789, affects the ISCV system version 3.1 or earlier and Xcelera version 4.1 or earlier. Unquoted search paths allow attackers to increase their privilege levels and execute arbitrary codes.

In a Philips security notice, it was mentioned that the servers for ISCV version 2.x and above and Xcelera from 3x to 4 x contain 20 Windows services whose executables are present in a folder where authenticated users are granted permissions to overwrite. “Services run as a local administrator account or a local system account, and if a user replaces one of the executables with a different program, that program would also run with local administrator or local system permissions”, the company mentioned.

In ISCV version 3.x and above and Xcelera 3.x to 4.x, there are 16 vulnerable Windows services; these services are run with local administrator rights and can be started with a registry key, potentially offering an attacker a path to place an executable that grants local administrator rights.

Vulnerabilities cannot be remotely exploited and no reports have been received indicating exploitation in the wild.

The mitigations will be applied through a patch that will be released next October. Meanwhile, Philips suggests users should restrict the available permissions when possible.

The United States takes very seriously even the slightest security flaw in medical devices. There is a background of the US Food and Drug Administration (FDA), which once ordered the removal of 465 St. Jude pacemakers to correct several flaws, the vulnerabilities found in these systems can cause anxiety in patients and they even could stop working suddenly.

Cyber security organization specialists from the International Institute of Cyber Security consider that FDA recommendations should not go unnoticed for those involved in these cases.