Various security vulnerabilities have been disclosed in Philips Medical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to choose management of an influenced process.
“Prosperous exploitation of these vulnerabilities could let an unauthorized man or woman or method to eavesdrop, watch or modify info, attain technique entry, carry out code execution, install unauthorized software program, or affect program details integrity in these types of a way as to negatively impact the confidentiality, integrity, or availability of the technique,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mentioned in an advisory.
The 15 flaws affect:
- VUE Picture Archiving and Communication Programs (variations 12.2.x.x and prior),
- Vue MyVue (versions 12.2.x.x and prior),
- Vue Speech (variations 12.2.x.x and prior), and
- Vue Motion (versions 18.104.22.168 and prior)
4 of the issues (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been specified a Common Vulnerability Scoring Technique (CVSS) base rating of 9.8, and problem improper validation of enter knowledge as perfectly as vulnerabilities released by flaws formerly patched in Redis.
An additional serious flaw (CVE-2021-33020, CVSS score: 8.2) is prompted by the Vue platform’s use of cryptographic keys over and above their set up expiration date, “which diminishes its protection noticeably by escalating the timing window for cracking attacks from that crucial.”
Other weaknesses involve the use of a broken or risky cryptographic algorithm (CVE-2021-33018), a cross-internet site scripting attack when managing user-controllable enter (CVE-2015-9251), insecure approaches to safeguard authentication qualifications (CVE-2021-33024), poor or incorrect initialization of methods (CVE-2018-8014), and a failure to comply with coding expectations (CVE-2021-27501) that could maximize the severity of the other vulnerabilities.
Although Philips has addressed some of the shortcomings as part of its updates transported in June 2020 and May perhaps 2021, the Dutch healthcare business is predicted to patch the relaxation of the security issues in version 15 of Speech, MyVue, and PACS which is now in advancement and established for release in Q1 2022.
In the interim, CISA is urging entities to limit network publicity for all handle method gadgets and ensure that they are not available from the Internet, phase command procedure networks and remote equipment driving firewalls, and use digital personal networks (VPNs) for safe remote access.
Uncovered this posting intriguing? Comply with THN on Fb, Twitter and LinkedIn to examine a lot more distinctive material we post.
Some parts of this article are sourced from: