3 unpatched vulnerabilities in Philips MRI 1.5T and 3T machines allow leaking confidential health data

Information security specialists report the detection of three vulnerabilities in MRI 1.5T and MRI 3T, two magnetic resonance machines developed by the technology company Philips. According to reports, the flaws could be exploited to compromise vital functions in the affected systems, not to mention that so far there are no known updates.

Below are brief descriptions of the reported vulnerabilities, as well as their respective identification keys and scores assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-3083: Inadequate access restrictions allow local threat actors to evade security restrictions in MRI 1.5T and 3T and thus access sensitive information in the system.

The flaw received a CVSS score of 5.7/10 and its exploitation would allow threat actors to gain unauthorized access to restricted features.

CVE-2021-3085: Affected solutions can assign an owner who is outside the intended sphere of control to a resource, which a malicious hacker with local access can leverage to obtain potentially sensitive information.

This is a low-severity vulnerability and received a CVSS score of 5.7/10.

CVE-2021-3084: Excessive data outflow from affected deployments would allow threat actors with local access to gain unauthorized access to sensitive information on the affected system.

The vulnerability received a CVSS score of 5.7/10.

According to the report, the flaws detected reside in the following versions of the affected Philips products:

  • MRI 1.5T v5.0
  • MRI 3T v5.0

Although no active exploitation attempts related to these flaws have been detected so far, it is important to remember that no patches are available. Health facilities where vulnerable machines are used are advised to keep in touch with the supplier in order to find the best safety measures.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.