Philips Patient Monitor Vulnerabilities

Threat ID:: CC-3619
Threat Severity:: Low
Published:: 14 September 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

Philips IntelliVue Versions: MP2 to MP90 (versions N and earlier), MX100, MX400 to MX650, X2 (versions N and earlier), and X3 (versions N and earlier)

Philips Patient Information Center iX (PICiX) Versions: B.02, C.02, and C.03

Philips PerformanceBridge Focal Point Versions: A.01

Threat details

Introduction

Philips Healthcare has released details of eight vulnerabilities affecting a number of their patient monitoring products. They claim that an unauthorised user with access to a vulnerable system may exploit some or all of these vulnerabilities to obtain patient information or interrupt monitoring services.

Vulnerabilities

All eight vulnerabilities appear to to be the result of several underlying flaws in the way the vulnerable systems handle user-provided information.

CVE-2020-16212 - PICiX systems incorrectly expose resources users without the proper level of access, resulting in a user being able to escape a restricted kiosk environment on the system.
CVE-2020-16214 - PICiX systems store user input in a local CSV file but do not effectively remove any special elements from the input that could be interpreted as commands.
CVE-2020-16216 - IntelliVue systems improperly validate user inputs are correct, resulting in a full system restart.
CVE-2020-16218 - PICiX systems do not effectively remove user inputs that are then used as outputs on webpages. This can lead to patient data leakage via read-only web applications.
CVE-2020-16220 - Focal Point and PICiX systems improperly handle malformed inputs, resulting in certificate enrollment services failing.
CVE-2020-16222 - Focal Point and PICiX systems do not properly vet user identity claims.
CVE-2020-16228 - IntelliVue, Focal Point, and PICiX systems incorrectly check certificate revocation status, which can result in usage of compromised certificates.
CVE-2020-16224 - PICiX systems incorrectly parse or handle massages with lengths inconsistent with the length of associated data, resulting in monitoring services restarting.

Threat updates

Date	Update
22 Nov 2021	Update to remediation dates The update schedule of affected products has been changed to the following: Q1 2021: IntelliVue Patient Monitors Versions N.00 and N.01 (Changed -- no update planned) IntelliVue Patient Monitors Version M.04: Contact a Philips service support team for an upgrade path (Changed release date) Q4 2021: PerformanceBridge Focal Point Q4 2020: Patient Information Center iX (PICiX) Version C.03

Date

Update

22 Nov 2021

Update to remediation dates

The update schedule of affected products has been changed to the following:

Q1 2021: IntelliVue Patient Monitors Versions N.00 and N.01
(Changed -- no update planned) IntelliVue Patient Monitors Version M.04: Contact a Philips service support team for an upgrade path
(Changed release date) Q4 2021: PerformanceBridge Focal Point
Q4 2020: Patient Information Center iX (PICiX) Version C.03

Remediation advice

Philips has confirmed that updates to all affected products will be released on the following schedule:

Q1 2021: IntelliVue versions N.00 and N.01
Q4 2021: IntelliVue version M.04
Q2 2021: PerformanceBridge Focal Point
Q4 2020: PICiX version C.03

Additionally, Philips state they will begin to revoke certificates on vulnerable systems beginning in 2023.

Affected organisations are encouraged to review Philips' InCenter and product security pages, and to contact their relevant suppliers to apply updates as they become available

Definitive source of threat updates

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

CVE Vulnerabilities

Status Published

CVE-2020-16212

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.

Status Published

CVE-2020-16214

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

Status Published

CVE-2020-16216

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product receives input or data but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly, which can induce a denial-of-service condition through a system restart.

Status Published

CVE-2020-16218

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.

Status Published

CVE-2020-16220

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The product receives input that is expected to be well-formed (i.e., to comply with a certain syntax) but it does not validate or incorrectly validates that the input complies with the syntax, causing the certificate enrollment service to crash. It does not impact monitoring but prevents new devices from enrolling.

Status Published

CVE-2020-16222

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. When an actor claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.

Status Published

CVE-2020-16224

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart.

Status Published

CVE-2020-16228

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate.

Last edited: 22 November 2021 11:52 am