Skip to main content

Philips MRI 1.5T and 3T Vulnerabilities

Vulnerabilities centre around improper access control, incorrect ownership assignment, and exposure of sensitive information to an unauthorised attacker.

Threat ID:
CC-3972
Threat Severity:
Low
Threat Vector:
Vulnerability
Published:
10 November 2021 11:35 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Vulnerabilities centre around improper access control, incorrect ownership assignment, and exposure of sensitive information to an unauthorised attacker.

Threat details

Introduction

Philips has released an advisory for three vulnerabilities in the affected Philips MRI software solutions, tracking them as CVE-2021-3083, CVE-2021-3084, and CVE-2021-3085. The vulnerabilities involve improper access control, incorrect ownership assignment for resources, and potential exposure of sensitive information to unauthorised attackers.

Successful exploitation of these vulnerabilities may allow an unauthorised attacker access to execute software, modify system configuration, view/update files, and export data (including patient data) to an untrusted environment.  At the time of writing, Philips is not aware of the vulnerabilities being exploited in the wild.

Remediation advice

Affected organisations should review the Philips MRI 1.5 and 3T release 5 (2022 November 9) security advisory. Philips have not released any security updates for this product but report that they plan to release a software upgrade that will correct the affected software in Q3 2022.

Philips recommends mitigating this vulnerability by ensuring that users operate all Philips deployed and supported products within Philips authorised specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product.
 

Last edited: 10 November 2021 2:56 pm