1. Basic situation
Recently, Philips issued a security vulnerability notice, disclosing 15 security vulnerabilities in the Vue PACS diagnosis and treatment platform. Attackers can use these vulnerabilities to execute arbitrary code, change the expected control process of the system, access sensitive information or cause the system to crash. Most of the 15 security vulnerabilities disclosed this time can be exploited remotely, and the attack complexity is low. At present, the manufacturer has released product updates to fix vulnerabilities. It is recommended that affected users update to the safe version in time for protection, and do asset self-checking and prevention work to avoid hacker attacks.
2. Vulnerability level
High risk
3. Vulnerability description
Philips Vue PACS is a medical diagnostic platform of Philips, which is mostly used in the infrastructure of public healthcare.
According to the importance of the vulnerabilities, the vulnerabilities with greater impact are selected. The details of the vulnerabilities are as follows:
1. CVE-2021-33020: Security Configuration Vulnerability
The Philips Vue PACS diagnosis and treatment platform is still using expired security keys, which can cause attackers to use previously leaked keys to launch attacks on existing systems.
2. CVE-2021-27501: Security Configuration Vulnerability
The code of the Philips Vue PACS diagnosis and treatment platform does not follow the code security rules, which can cause attackers to use these code logic errors to attack the platform.
3. CVE-2021-33018: Security Configuration Vulnerability
The Philips Vue PACS diagnosis and treatment platform is still using encryption algorithms with hidden security risks, which can cause attackers to use vulnerabilities in the encryption algorithm to launch attacks on the platform.
4. CVE-2021-27497: Security Protection Vulnerability
The Philips Vue PACS diagnosis and treatment platform has major hidden dangers in safety, and it does not use sufficient safety measures to ensure the correct operation of the platform.
5. CVE-2021-27493: Data Unverified Vulnerability
When the Philips Vue PACS diagnosis and treatment platform received data, it did not perform strict field verification for the data, resulting in untrusted and dangerous data circulating within the platform. The attacker can perform unexpected functions on the platform by constructing a special request packet.
6. CVE-2021-33024: Identity information clear text transmission vulnerability
The Philips Vue PACS diagnosis and treatment platform uses an insecure method (unencrypted) when transmitting and storing identity credentials. As a result, attackers can directly obtain platform-related identity credentials by sniffing and intercepting network traffic, and use this to log on to the platform to carry out further attacks.
7. CVE-2021-33022: Plaintext transmission vulnerability
The Philips Vue PACS diagnosis and treatment platform transmits sensitive or safety-critical data in clear text during the communication process, and unauthorized attackers can sniff the detailed information in the data on the Internet.
Fourth, the scope of influence
Philips Vue PACS <= 12.2.x.x
Philips Vue MyVue <= 12.2.xx
Philips Vue Speech <= 12.2.xx
Philips Vue Motion <= 12.2.1.5
Five, safety recommendations
1. At present, Philips has officially released a software update to fix the vulnerability. It is recommended that affected users can contact the local Philips service support team to obtain relevant technical implementation.
https://www.philips.com/a-w/security/security-advisories.html#security_advisories
2. Temporary mitigation measures:
1) Turn on the automatic update function of the Philips Vue platform in time;
2) After installing the update, disconnect the Philips Vue platform from the Internet to ensure that you can only log in and access through the internal network;
3) Use a firewall to isolate the Philips Vue platform and restrict its intercommunication with personal terminals.
6. Reference link
https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01
source: Beijing Qihoo Technology Co., Ltd., Sangfor Technology Co., Ltd.
Post a Comment