A U.S. government cybersecurity agency has found multiple vulnerabilities in a Philips picture archiving and communication system that could give bad actors access to sensitive data and software.
The U.S. Cybersecurity and Infrastructure Security Agency warned that Philips’ Vue PACS can be remotely exploited through relatively low complexity attacks. It identified 15 specific flaws that apply to the following products:
- Vue PACS versions 12.2.x.x and prior.
- Vue MyVue versions 12.2.x.x and prior.
- Vue Speech versions 12.2.x.x and prior.
- Vue Motion versions 184.108.40.206 and prior.
“Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” the CISA, part of the Department of Homeland Security, said in a July 6 advisory.
The four most serious problems have been assigned a Common Vulnerability Scoring System score of 9.8, indicating a “critical” problem. Such concerns are related to improper input data validation and flaws brought over via previous patches.
Additionally, the Vue platform’s use of expired cryptographic keys has earned a CVSS score of 8.2, and “significantly” diminishes system safety.
Insufficiently protected credentials, data integrity issues, and protection mechanism failures are also listed among problems with the Dutch healthcare giant’s platform.
Philips was the first to report these security concerns to the CISA and has already fixed a number of vulnerabilities in June 2020 and May 2021 updates. Further actions will be taken in version updates released in Q1 2022.
In the meantime, the government organization recommends users minimize network exposure for all control systems and ensure they aren’t accessible from the internet. The group further suggests locating control systems behind firewalls and using VPNs for remote access.
“CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” the security agency said July 6.