Nine Vulnerabilities Identified in Philips E-Alert Units

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory about nine vulnerabilities that have recently been discovered in Philips E-Alert units.

ICS-CERT has now issued four advisories for Philip healthcare devices and products in the past month. Previous advisories covered vulnerabilities in:

  • Philips IntelliVue Information Center iX – 1 vulnerability
  • Philips PageWriter Cardiographs – 2 vulnerabilities
  • Philips IntelliSpace Cardiovascular cardiac image and information management software – 2 vulnerabilities

The latest advisory concerns Philips eAlert units – non-medical devices that are used to identify issues with MRI machines, allowing IT teams to resolve problems before they become serious. Healthcare companies all over the world use Philips eAlert units.

One of the nine vulnerabilities has been rated critical, five have been given a rating of high severity, and three are rated medium severity. If an attacker on the same subnet exploits the vulnerabilities, it would be possible to:

  • Obtain the user’s contact details
  • Compromise unit integrity and availability
  • Execute arbitrary code
  • Change the data displayed by the device
  • Cause the device to crash

The vulnerabilities impact all versions of the software on the devices, including R2.1.

The nine vulnerabilities are detailed below in order of severity:

CVE-2018-8856 (CWE-798) – Hard-Coded Credentials with CVSS v3 score of 9.8

A hard-coded cryptographic key is contained in the software used for internal data encryption.

CVE-2018-8842 (CWE-319) – Cleartext Transmission of Sensitive Information with CVSS v3 score of 7.5

Sensitive and security-critical data are transmitted in cleartext and could therefore be intercepted by unauthorized persons, allowing contact information and program login information to be acquired from within the same subnet.

CVE-2018-8854 (CWE-400) – Uncontrolled Resource Consumption with CVSS v3 score of 7.5

The size or quantity of resources requested or affected by an actor are not appropriately limited, which could result in more resources than expected being consumed.

CVE-2018-8850 (CWE-20) – Incorrect Input Validation with CVSS v3 score of 7.1

Incorrect validation of input would allow an attacker to send input in a style not expected by the program. This could result in parts of the unit receiving unintended input altering control flow, arbitrary resource control, or could allow arbitrary code execution.

CVE-2018-8846 (CWE-79) – Improper Neutralization of Input in the Course of Generating a Web Page with CVSS v3 score of 7.1

The software isn’t able to neutralize – or incorrectly neutralizes – user-controlled input prior to sending output that is utilized by web pages which are served to other users.

CVE-2018-8848 (CWE-276) – Incorrect Default Permissions with CVSS v3 score of 7.1

When the software program is installed, incorrect permissions are fixed for an object that exposes it to an unintended actor.

CVE-2018-8844 (CWE-352) – Cross-Site Request Forgery with CVSS v3 score of 6.8

The web app does not sufficiently confirm if a well-formed, legitimate, consistent request was deliberately given by the user who submitted the request.

CVE-2018-8852 (CWE-384) – Session Fixation with CVSS v3 score of 6.4

Whenever authenticating a user or creating a new user session, a threat actor could potentially steal authenticated sessions without any current session identifier being invalidated.

CVE-2018-14803 (CWE-200) – Information Exposure with CVSS v3 score of 5.3

This is a banner disclosure vulnerability that can permit an attacker to obtain product data like the OS and program components through the HTTP response header.

Four vulnerabilities were fixed with the release of R2.1 (CVE-2018-8842, CVE-2018-8856, CVE-2018-8850, CVE-2018-8852) and the last five vulnerabilities (CVE-2018-8854, CVE-2018-8846, CVE-2018-8848, CVE-2018-14803, CVE-2018-8844) will be fixed with a software update that is expected to be released by the end of the year.

Users of vulnerable equipment must make sure they upgrade to software version R2.1 which will resolve four of the vulnerabilities, including the critical hard-coded credential flaw.

Philips additionally recommends users should take the following steps to minimize the possibility of exploitation of the five other flaws:

Make sure that network security best practices are followed and network access to e-Alert is restricted, as is detailed in the product documentation.