Vulnerabilities Found in Philips IntelliVue Patient and Avalon Fetal Monitors

An advisory was issued by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) regarding the vulnerabilities found in some Philips IntelliVue Patient and Avalon Fetal monitors. Philips has identified three vulnerabilities in its products and informed ICS-CERT.

If an attacker exploits the vulnerabilities, it would be possible to read/write memory and implement a denial of service by restarting the system. The exploitation could lead to a slow down in patient diagnosis and treatment. The following products have been identified to have vulnerabilities:

  • IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only);
  • IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M;
  • Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3

Vulnerabilities Found in the Devices:

  • CWE-200 – Information Exposure Vulnerability
    An unauthenticated attacker could exploit and read the memory of a device on the same subnet.
  • CWE-0287 – Improper Authentication Vulnerability
    If an unauthenticated person gains LAN access, it would be possible to access the memory (write-what-where) of a chosen device on the same subnet.
  • CWE-121 – Stack-Based Buffer Overload Vulnerability
    An attacker that exploits this vulnerability will expose an echo service and trigger a stack overflow.

What Philips Did to Mitigate the Problem:
Philips revealed the device vulnerabilities under its co-ordinated vulnerability disclosure policy. Philips issued an advisory to let users know about the vulnerabilities in affected products to allow them to take action to prevent the flaws from being exploited. Phillips explained there is no way to exploit the vulnerabilities remotely. A malicious actor needs to first access the LAN to the devices are connected. In addition, the attacker must have a high level of technical ability to exploit the vulnerabilities.

So far, there have been no reports received to indicate the vulnerabilities have been exploited in the wild. Philips is developing a patch to fix all three vulnerabilities on IntelliVue software Revisions J-M and Avalon software Revisions G.0 and J.3 in 2018. For devices running on non-supported versions, Philips is providing an update-path to help users upgrade their device to a supported version. Users of affected devices should contact their Philips sales representative for more information.

For the time being, users can take the following steps to minimize the possibility of exploitation of the vulnerabilities:

  • For IntelliVue Monitors – Carry out the guidelines for use in the Security for Clinical Networks Guide and upgrade to Revision K.2 or newer software.
  • For Avalon Fetal Monitors Release G.0 and Release J.3 – Carry out the Data Privacy and Network Security specifications available in the installation and service manual.
  • For Avalon Fetal Monitors Release F.0 – Follow the recommendations in the Rev J.3 Service Guide Data Privacy and Network Security requirements section.
  • Employ physical security access controls to limit device access to authorized users, as specified in the Philips Security for Clinical Networks guide and the IntelliVue Clinical Networks Configuration Guide.
  • Apply logical security access controls to keep the devices from connecting beyond the Philips clinical network.
  • Locate all vulnerable devices behind firewalls and keep them separated from the business network.
  • Make sure that the devices are not accessible online.