Philips Clinical Collaboration Platform is a systems that delivers data and tools across the hospital enterprise – from clinical data reporting to enterprise-wide ingestion and archiving, to full patient and clinical data management.
5-low to medium vulnerabilities were identified in the platform by Northridge Hospital Medical Center who reported the vulnerabilities to Philips.
If successfully exploited, hackers could convince authorized users to perform unauthorized actions that could result in the breach of information and could lead to further attacks.
Philips claims that they have not seen any reports of findings of a real world attack and that there have been no reports of incidents from clinical use associated with vulnerabilities.
Versions 12.2.1 and prior versions are effected and range in severity from low to medium.
Here are the vulnerabilities that were discovered:
- CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8)
- CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5)
- CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity given by an attacker to ensure the claim is correct. (CVSS 5.0)
- CVE-2020-14525 – Improper neutralization of scripty in attributes in a web page – Does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. (CVSS 3.5)
- CVE-2020-14506 – When input or data is provided, there are insufficient checks to ensure the input has the properties to allow data to be processed safely and correctly. (CVSS 3.4) – Philips released a patch in June 2020 for web portals which fixed this security flaw.
Philips released a new version of the Vue PACS Clinical Collaboration Platform (Version 12.2.5) in May 2020, which corrected four of the flaws (CVE-2020-14506, CVE-2020-14525, CVE-2020-16247, and CVE-2020-16198).
CVE-2020-16200, could not be patched and requires manual intervention to prevent exploitation.
Affected customers are encouraged to contact Philips Customer Support to receive assistance correcting the vulnerability.
Philips also recommends that additional measures are taken for protection including:
- Implement physical security measures to limit or control access to critical systems.
- Restrict system access to authorized personnel only and follow a least privilege approach.
- Apply defense-in-depth strategies.
- Disable unnecessary accounts and services.
Under the Coordinated Vulnerability Disclosure Policy, Philips is required to notify relevant authorities and issue a security advisory regarding the flaws and it appears they did as soon as they were notified.