Philips has identified an authentication bypass problem that impacted Philips Ultrasound Systems. An attacker could potentially exploit this issue to access or change information. The vulnerability is caused by the presence of an optional path or approach that may be employed to circumvent authentication controls.
The vulnerability is referred to as CVE-2020-14477. It is a vulnerability regarded as low severity with an assigned CVSS v3 base rating of 3.6 out of 10. In order for an attacker to exploit the vulnerability, local access to an insecure system is necessary. Remote exploitation of the vulnerability is not possible. Further, exploiting this vulnerability does not endanger patient safety.
The vulnerability has been reported to impact the Philips Ultrasound Systems listed below:
- Ultrasound Xperius all versions
- Ultrasound ClearVue Versions 3.2 and earlier versions
- Ultrasound EPIQ/Affiniti Versions VM5.0 and earlier versions
- Ultrasound CX Versions 5.0.2 and earlier versions
- Ultrasound Sparq Version 3.0.2 and earlier versions
The vulnerability has been fixed for the VM6.0 release of the Ultrasound EPIQ/Affiniti systems. Consumers using these systems ought to get in touch with their Philips representative for more details about the update installation.
Consumers of all other impacted systems should wait until quarter 4 of 2020 for the release of an update. Philips is going to resolve the vulnerability in Ultrasound CX Version 5.0.3, Ultrasound ClearVue Version 3.3 and Ultrasound Sparq Version 3.0.3 release in quarter 4 of 2020.
For the time being, as a temporary safety measure, Philips advises users to make sure that their services providers check device integrity when conducting service and repair procedures. It is additionally a good idea to employ physical security measures to stop unauthorized persons from accessing the devices.