Philips Working to Mitigate ISCV Hole

Thursday, January 25, 2018 @ 03:01 PM gHale


Philips is creating a software update to mitigate an insufficient session expiration vulnerability in its IntelliSpace Cardiovascular cardiac image and information management systems, according to a report with ICS-CERT.

IntelliSpace Cardiovascular, Version 2.3.0 and prior suffer from the vulnerability.

RELATED STORIES
Siemens Updates its Desigo PXC Line
Holes in Nari’s PCS-9611
Siemens Clears Hole in Industrial Products
Advantech Updates WebAccess/SCADA

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information stored on the system and modify this information.

Philips maintains offices in countries around the world, including countries in Africa, Asia, Europe, Latin America, the Middle East, and North America.

The Philips IntelliSpace Cardiovascular (ISCV) is a comprehensive cardiac image and information management system.

ISCV cardiac image and information management systems see action across the healthcare and public health sector. Philips estimates this product sees use on a global basis.

The ISCV application has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information.

CVE-2018-5438 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

This vulnerability is exploitable via local access. However, no known public exploits specifically target this vulnerability. An attacker with a low skill level would be able to leverage this vulnerability.

Philips is adding an additional configuration option to ISCV 3.1. The option to not use Windows authentication when communicating with an EMR in KIOSK mode will become available in this release. Philips is in the process of releasing this version in the coming months.

Users with questions regarding their specific IntelliSpace Cardiovascular installations should contact their local Philips service support team or their regional service support. Click here for Philips’ contact information.

Click on the Philips product security web site for the latest security information.



Leave a Reply

You must be logged in to post a comment.