Vulnerabilities Found in Philips IntelliVue Information Center iX and PageWriter Cardiographs

This week, the Industrial Control Systems Cyber Emergency Team (ICS-CERT) has issued two advisories about three vulnerabilities in Philips medical devices and software – PageWriter cardiographs and its real-time central monitoring program, the Philips IntelliVue Information Center iX. All three vulnerabilities are categorized as medium risk.

The Philips IntelliVue Information Center iX version B.02 is affected by a denial of service vulnerability – CVE-1999-0103.  A user of the system found the flaw and reported it to Philips, which subsequently reported it to the National Cybersecurity and Communications Integration Center’s (NCCIC).

The vulnerability may be remotely exploited and does not call for an advanced skill level. If several initial UDP requests are made, the accessibility of the device could be jeopardized as the operating system could becomes unresponsive. The vulnerability was given a CVSS v3 base score of 5.7.

Philips has taken steps to reduce the potential for threat actors to exploit the vulnerability. All users of PIIC iX B.02 are advised to study the device labeling, user manual, and service guides which include compensating controls. A patch is going to be available to correct the vulnerability by the end of September 2018.

Philips has identified two vulnerabilities that affect its PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs. The vulnerabilities exist in all versions prior to May 2018.

CVE-2018-14799 is an improper input validation vulnerability. Data entered by users is not properly sanitized by the devices. As such, an individual could trigger a buffer overflow. When exploited, it would be possible for device configurations to be altered. The vulnerability was given a CVSS v3 base score of 5.9.

The CVE-2018-1480 vulnerability concerns the use of hard-coded credentials. To exploit this flaw, a hacker must have physical access to the device and the superuser password. If the hacker succeeds, it would be possible to alter all device configurations and reset current passwords. This vulnerability was given a CVSS v3 base score of 6.1.

Philips will address the vulnerabilities with a new release in the middle of 2019. Philips also pointed out that the WinCE5 operating system on PageWriter TC20, TC30, TC50 and TC70 is outdated and support for the OS has now stopped. Users may upgrade TC50 and TC70 to WinCE7 by downloading the new OS from InCenter. TC20 and TC30 don’t support WinCE7 so cannot be updated. Users are encouraged to upgrade to the TC50 device if they are worried about using an unsupported operating system. TC20 will be updated by the end of 2019 and will support WinCE7.

Meanwhile, Philips recommends implementing appropriate physical security controls to prevent unauthorized access, controlling system component accessibility to safeguard the healthcare devices in the system, and to employ multi-factor authentication.