Information security awareness specialists reported the finding of a critical vulnerability in DreamMapper, a monitoring system developed by Philips that serves as an assistant in the treatment of sleep apnea. According to the report, successful exploitation of this flaw would allow threat actors to access information in the log file that contains descriptive error messages.
This system is employed by health organizations, whether public or private, everywhere in the world, so the possible exploitation of this flaw is a risk that governments and cybersecurity agencies must seriously consider.
Tracked as CVE-2020-14518, this is an information entry flaw written in log files that can lead to subsequent attacks. The flaw received a score of 5.3/10 according to the Common Vulnerability Scoring System (CVSS), information security awareness specialists mentioned.
The report was reported by Lutz Weimann, Tim Hirschberg, Issam Hbib and Florian Mommertz of SRC Security Research & Consulting GmbH, based in Germany.
In response to the report, Philips announced the release of a new version of DreamMapper. The Netherlands-based company assures users that the corrected version of this software will be ready in a few months. While updates are ready, information security awareness experts advise users to implement the following measures to mitigate the risk of exploitation.
- Set up physical security measures to limit access to critical systems
- Restrict access to the system only to authorized personnel, by following a minimum privilege policy
- Apply defense strategies in depth
- Disable unnecessary or high-privileged accounts and services
Users can also contact Philips Support Services for additional information. The Cybersecurity and Infrastructure Security Agency (CISA) also asked users to implement the necessary security measures to prevent any malicious activity on their systems.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.