The United States Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Tuesday informing enterprises about 15 vulnerabilities affecting Philips Vue healthcare products.
According to CISA, the issues affect many Philips Clinical Collaboration Platform Portal (Vue PACS) products, including MyVue, Vue Speech, and Vue Motion. Many of the flaws are in third-party components.
Incorrect input validation, memory bugs, improper authentication, insecure/improper resource initialization, use of expired cryptographic keys, use of weak cryptographic algorithms, improper use of protection mechanisms, data integrity issues, cross-site scripting (XSS), improperly protected credentials, and cleartext transmission of sensitive data are all examples of security holes.
“Successful exploitation of these vulnerabilities could allow an unauthorised person or process to eavesdrop, view or modify data, gain system access, execute code, instal unauthorised software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” according to CISA.
Seven of the 15 flaws appear to be unique to Philips products, with the remainder affecting third-party components like Redis, 7-Zip, Oracle Database, jQuery, Python, and Apache Tomcat.
Between 2012 and 2020, problems in third-party components were discovered. The CVE IDs for the Philips problems are all 2021.
Four of the flaws have been classified critical, while four have been rated as having a high severity. The rest are categorised as being of medium or low intensity.
Some of the vulnerabilities have been patched, according to CISA, but others will not be patched until the first quarter of 2022. Organizations can use mitigations to lower the danger of exploitation in the meantime.
While CISA mentions a Philips security advisory, the electronics manufacturer does not appear to have issued a public statement.
CISA advises users and administrators to study the ICS medical advice ICSMA-21-187-01 Philips Vue PACS and instal any necessary upgrades or workarounds, according to CISA.
