Philips Clears Hole in Medical Systems

Tuesday, November 14, 2017 @ 05:11 PM gHale


Philips created updates to mitigate a vulnerability in the Philips’ IntelliSpace Cardiovascular and Xcelera cardiac image and information management systems, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability could allow an attacker to gain unauthorized access to sensitive information stored on the system, modify device configuration, and gain access to connected devices. Philips discovered and reported the vulnerability.

RELATED STORIES
AutomationDirect Mitigates Software Glitch
Siemens Fixes SIMATIC PCS 7 Issue
No Fixes for Outdated ABB FOX515T
New Version Clears Trihedral Holes

The vulnerability affects the following versions of the IntelliSpace Cardiovascular and Xcelera cardiac image and information management systems:
• IntelliSpace Cardiovascular, Version 2.3.0 and prior
• Xcelera, R4.1L1 and prior

Philips is a global company that maintains offices in many countries around the world, including countries in Africa, Asia, Europe, Latin America, the Middle East, and North America.

The Philips IntelliSpace Cardiovascular and Xcelera systems (a predecessor to IntelliSpace Cardiovascular) are comprehensive cardiac image and information management software.

IntelliSpace Cardiovascular and Xcelera systems see action across the healthcare and public health sectors. Philips estimates these products see use on a global basis.

In the vulnerability, credentials end up stored in cleartext in system files that may allow an attacker with elevated privileges to gain unauthorized access to data to include patient health information, system resources, and misuse of connected assets.

CVE-2017-14111 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill level would be able to exploit this vulnerability.

Philips is producing software hotfix updates for all IntelliSpace Cardiovascular and latest Xcelera versions, some of which are available upon request, while other versions are in the process of development and are expected to be completed by the end of 2017.

Philips has initiated a voluntary medical device correction aligned with IntelliSpace Cardiovascular proactive field change order (reference FCO83000202) to be issued as IntelliSpace Cardiovascular updates become available.

Users with questions regarding their specific IntelliSpace Cardiovascular or Xcelera installations are advised by Philips to contact their local Philips service support team or their regional service support. Click here to view Philips’ contact information.

Click here to view the Philips product security web site for the latest security information.



Leave a Reply

You must be logged in to post a comment.