Philips SureSigns Improper Access Vulnerabilities
Several vulnerabilities in a number of Philips Healthcare patient monitors have been disclosed. Exploitation of these may result in patient information being leaked.
Summary
Several vulnerabilities in a number of Philips Healthcare patient monitors have been disclosed. Exploitation of these may result in patient information being leaked.
Affected platforms
The following platforms are known to be affected:
Philips SureSigns VS4 Versions: A.07.107 and earlier
Threat details
Introduction
Philips Healthcare has released details of several vulnerabilities affecting their SureSigns VS4 vital signs monitors. They claim that an unauthorised attacker could exploit these vulnerabilities to later configuration settings and obtain patient data.
Vulnerability details
All three vulnerabilities appear to be the result of SureSigns VS4 systems not properly validating users inputs, likely due to an incorrectly implemented kiosk mode. This lack of validation in turn leads to the vulnerable systems not correctly verifying or restricting user access levels.
Remediation advice
At the time of publication, Philips Healthcare has not confirmed if an update to address these vulnerabilities will be produced. However, they have recommended affected organisations change ensure all vulnerable SureSigns systems are not using default passwords.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 24 August 2020 4:06 pm