Philips reveals code execution vulnerabilities in cardiovascular devices

Only a low level of skill is required to exploit the bugs.

screen-shot-2018-08-21-at-09-10-09.png
Source photo

Vulnerabilities have been discovered in multiple versions of Philips cardiovascular imaging devices.

According to a security advisory from the US Department of Homeland Security's ICS-CERT, the first vulnerability, CVE-2018-14787, is a high-severity flaw which affects the Philips IntelliSpace Cardiovascular and Xcelera IntelliSpace Cardiovascular (ISCV) products.

The advisory says that the vulnerability takes only a "low-level skill" to exploit and is caused by improper privilege management.

In ISCV software version 2.x or prior and Xcelera Version 4.1 or prior, attackers with escalated privileges are able to access folders potentially containing executables which give authenticated users write permissions.

"Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code," the advisory says.

The second vulnerability, CVE-2018-14789, impacts ISCV version 3.1 or prior and Xcelera Version 4.1 or prior. Unquoted search paths permit attackers to raise their privilege levels and execute arbitrary code.

In a Philips corporate security advisory, the company said the servers for ISCV version 2.x and earlier and Xcelera 3x -- 4.x contain 20 Windows services of which executables are present in a folder where authenticated users are granted write permissions.

See also: FDA one of many 'toothless dragons' with no will to tackle medical device security

"The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions," Philips added.

In ISCV version 3.x and earlier and Xcelera 3.x -- 4.x, there are 16 Windows services that do not have quotes in the path name.

The services run with local admin rights and can be initiated with a registry key, potentially offering an attacker an avenue in which to place an executable which grants local admin rights.

The bugs cannot be exploited remotely and no reports have been received which indicate exploitation in the wild.

Mitigations will be applied through a patch scheduled for release in October. In the meantime, Philips says that users should "where possible" restrict available permissions.

TechRepublic: AI that improves healthcare efficiency also threatens profits

"Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers," the company says. "Philips has taken the lead in creating a Coordinated Vulnerability Disclosure policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner."

We cannot ignore security weaknesses in medical devices. As shown when the US Food and Drug Administration (FDA) forced the recall of 465,000 St. Jude pacemakers in order to patch them, bugs in such systems can cause anxiety in patients -- and could even stop their devices working altogether.

CNET: Watch CNET's Next Big Thing CES 2018 panel, The Invisible Doctor

Daniel Miessler, director of advisory services at IOActive, told ZDNet that the FDA is little more than a "toothless dragon" when it comes to enforcing adequate security measures in medical devices.

Perhaps it is time that medical device manufacturers are held to a more stringent security standard.

Previous and related coverage