Philips issues security advisory for cardiac imaging, information management software
The U.S. Department of Homeland Security’s Control Systems Cyber Emergency Response Team (ICS-CERT) and Philips Healthcare issued security advisories for vulnerabilities regarding the Philips' IntelliSpace Cardiovascular (ISCV) and Xcelera cardiology image and information management software products on Aug. 14.
“Successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code,” according to the ICS-CERT.
Philips explained that it has confirmed the findings of a customer complaint submitted complaint regarding vulnerabilities that affected version 2.3.1 of ISCV. The vendor’s analysis also confirmed that versions 3.1 and earlier of ISCV are affected, in addition to versions 4.x and 3.x of Xcelera.
The following findings were noted in Philips security advisory:
- In ISCV version 2.x and earlier and Xcelera 4.x and 3.x, the servers contain 20 Windows services of which the executables are being present in a folder where authenticated users have write permissions. The services run as a local admin account or local system account. If a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions.
- In ISCV version 3.x and earlier and Xcelera 4.x and 3.x, there are 16 Windows services that do not have quotes in the path name. These services are running with local admin rights and are initiated with a registry key. This path may permit a user to place an executable that provides local admin rights.
Philips also noted that the issue occurs only if an authenticated user without admin privileges can access the ISCV/Xcelera servers locally as is disabled by default, according to Philips.
“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities,” according to the security advisory.
The vendor plans to fix the PACS issue by upgrading to ISCV version 3.2 scheduled for release in October. The version will be available to customers via the regular communication and distribution channels, according to Philips.
“As an interim mitigation to the vulnerabilities until ISCV Version 3.2 can be applied, Philips recommends that users review their file permission policies and where possible restrict available permissions,” according to ICS-CERT's security advisory.