ICS-CERT has issued a warning regarding two vulnerabilities that have been discovered in Philips IntelliSpace Cardiovascular products – an improper privilege management vulnerability (CVE-2018-14787) and an unquoted search path or element vulnerability (CVE-2018-14789).
CVE-2018-14787 affects IntelliSpace Cardiovascular software version 2.x and prior versions and Xcelera V4.1 and prior versions. If exploited, the vulnerability would allow privilege escalation, access to folders containing executables, and arbitrary code execution, giving an attacker full control of the system. It’s not possible to exploit the vulnerability remotely because local access is necessary. It is also necessary for an authenticated user to have write privileges for the vulnerability to be exploited. The vulnerability was given a CVSS v3 rating of 7.3.
CVE-2018-14789 affects IntelliSpace Cardiovascular Version 3.1 and prior versions and Xcelera Version 4.1 and prior versions. This vulnerability could be exploited to permit an attacker to execute arbitrary code and increase privileges. The vulnerability was given a CVSS v3 rating of 4.2.
The vulnerabilities were identified internally and Philips reported them to the National Cybersecurity and Communications Integration Center (NCCIC).
The improper privilege management vulnerability was resolved in version 3.1 of IntelliSpace Cardiovascular software. Users of IntelliSpace Cardiovascular version 2.x or earlier versions or Xcelera V4.1 or earlier versions have been advised to get in touch with the service support team of Philips to obtain information on updating to version 3.1.
Philips will be correcting the unquoted search path or element vulnerability in version 3.2 of IntelliSpace Cardiovascular software which will be made available in October 2018.
In the meantime, Philips recommends reviewing file permission policies and limiting permissions wherever possible.
A number of vulnerabilities have been discovered in IntelliSpace products in the last few months.
- In March 2018, ICS-CERT issued a warning about vulnerabilities in all models of iSite and IntelliSpace PACS, a few of which were designated a CVSS v3 severity rating of 10 – The highest possible score. Exploitation of the vulnerabilities could compromise system integrity, patient confidentiality, and system availability.
- In February 2018, ICS-CERT issued a warning about vulnerabilities in the IntelliSpace Portal which were designated severity scores between 3.1 and 8.1. Overall, 35 vulnerabilities were found, several of which would allow remote code execution.
- In January, an advisory was issued about an insufficient session expiration vulnerability in IntelliSpace Cardiovascular software which was assigned a CVSS v3 rating of 6.7 and would allow acess to be gained to sensitive patient information.