ESB-2018.1002 - [Win] Philips iSite/IntelliSpace PACS: Execute arbitrary code/commands - Unknown/unspecified 2018-04-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1002
Advisory (ICSMA-18-088-01) Philips iSite/IntelliSpace PACS Vulnerabilities
                               4 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Philips iSite/IntelliSpace PACS
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Unknown/Unspecified
                   Access Privileged Data          -- Unknown/Unspecified
                   Denial of Service               -- Unknown/Unspecified
                   Provide Misleading Information  -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-18-088-01

Comment: Access vector were not specified to the respective impacts and no 
         specific CVE or CVSS details were given.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-18-088-01) Philips iSite/IntelliSpace PACS Vulnerabilities

Original release date: March 29, 2018

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

Philips has confirmed that Philips iSite and IntelliSpace PACS contain 
security vulnerabilities, predominantly in third-party components. Philips is
providing users a number of potential options to remediate these identified 
vulnerabilities.

AFFECTED PRODUCTS

Philips reports these vulnerabilities affect all versions of iSite and 
IntelliSpace PACS.

IMPACT

If exploited, these vulnerabilities could impact or compromise patient 
confidentiality, system integrity, and/or system availability. The 
vulnerabilities may allow attackers of low skill to provide unexpected input 
into the application, execute arbitrary code, alter the intended control flow
of the system, access sensitive information, or potentially cause a system 
crash.

Philips has received no confirmed reports of patient harm and has received no
complaints involving clinical use associated with these vulnerabilities.

Impact to individual organizations depends on many factors unique to each 
organization. NCCIC recommends organizations evaluate the impact of these 
vulnerabilities based on their operational environment and specific clinical 
usage.

BACKGROUND

Philips is a global company that maintains offices in many countries around 
the world, including countries in Africa, Asia, Europe, Latin America, the 
Middle East, and North America.

The affected products, Philips iSite and IntelliSpace PACS, are picture 
archiving communication systems supporting medical image management intended 
to be used by trained professionals, including but not limited to physicians,
nurses and medical technicians. The systems are software packages used with 
general purpose computing hardware to acquire, store, distribute, process and
display medical images and associated data throughout a clinical environment.
The software performs digital image processing, measurement, communication and
storage. The Philips iSite 3.6 platform is currently at its end of life and 
end of service.

According to Philips, iSite and IntelliSpace PACS are deployed across the 
Healthcare and Public Health sectors. Philips estimates these products are 
used in 30 countries around the world, including North America and other 
countries within Asia Pacific, Europe, and the Middle East.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER 
CWE-119

Certain languages allow direct addressing of memory locations and do not 
automatically ensure these locations are valid for the memory buffer being 
referenced. This can cause read or write operations to be performed on memory
locations that may be associated with other variables, data structures, or 
internal program data. As a result, an attacker may be able to execute 
arbitrary code, alter the intended control flow, read sensitive information, 
or cause the system to crash.

CVSS v3 base scores for these vulnerabilities range from 5.0 (medium) to 10.0
(critical).

CODE/SOURCE CODE VULNERABILITIES CWE-17

The software contains vulnerabilities typically introduced from code 
development or from the integration of third-party components that might 
typically be controlled, mitigated, or remediated during design, development,
or implementation of the software. Vulnerabilities identified from this 
category include common weakness, including: data processing (CWE-19), 
improper input validation (CWE-20), security features (CWE-254), credentials 
management (CWE-255), not using password aging (CWE-262), 
permissions/privileges/access controls to restrict access to a resource from 
an unauthorized actor (CWE-264), authorization (CWE-284), insufficient 
authentication to fully confirm the claim of identity from an actor (CWE-287),
cryptography (CWE-310), inadequate encryption strength (CWE-326), concurrent 
execution using shared resource with improper synchronization or race 
condition (CWE-362), resource management errors (CWE-399), insufficient 
controls over system resource consumption (CWE-400), potential use of software
memory buffers after the buffer has been freed/removed (CWE-416), NULL pointer
dereference (CWE-476), unquoted search path or element (CWE-428), weak 
password requirements (CWE-521), and use of hard-coded credentials (CWE-798).

As a result, an attacker may be able to impact the confidentiality, integrity,
and/or availability of the system by crafting unintended input into a form 
that is not expected by the rest of the application; altering control flow of
the software, attaining access or control of unauthorized system resources, or
causing arbitrary code execution. Moreover, an attacker could potentially 
direct over-utilization of limited system resources, thus enabling a 
denial-of-service attack.

CVSS v3 base scores for these vulnerabilities range from 2.1 (low) to 10.0 
(critical).

INFORMATION EXPOSURE CWE-200

An information exposure is the intentional or unintentional disclosure of 
information to an actor not explicitly authorized to have access to that 
information. As a result, an attacker may be able to read or enable 
unauthorized disclosure of sensitive information.

CVSS v3 base scores for these vulnerabilities range from 1.2 (low) to 7.5 
(high).

IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94

The software constructs all or part of a code segment using 
externally-influenced input from an upstream component, but it does not 
neutralize or incorrectly neutralizes special elements that could modify the 
syntax or behavior of the intended code segment. As a result, an attacker may
be able to execute unauthorized instructions or code.

CVSS v3 base scores for these vulnerabilities range from 7.5 (high) to 10.0 
(critical).

WEAKNESSES IN OWASP TOP TEN (2013) CWE-928:

The software contains vulnerabilities within this category that include common
weakness in improper neutralization of special elements used in an OS command
or OS command injection (CWE-78), failure to preserve web page structure or 
cross-site scripting (CWE-79), improper authentication (CWE-287), improper 
certificate validation (CWE-295), clear text transmission of sensitive 
information (CWE-319), and insufficient session expiration (CWE-613). As a 
result, an attacker may be able to access unauthorized resources or execute 
unauthorized instructions or code.

CVSS v3 base scores for these vulnerabilities range from 2.0 (low) to 10.0 
(critical).

IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE ('XXE') CWE-611:

The software processes an XML document that can contain XML entities with URIs
that resolve to documents outside of the intended sphere of control, causing 
the product to embed incorrect documents into its output.

As a result, an attacker may cause the system to read the contents of a local
file, force the application to make outgoing requests to servers the attacker
cannot reach directly, and bypass firewall restrictions or hide the source of
attacks such as port scanning.

CVSS v3 base score for this vulnerability is 5.0 (medium).

OTHER THIRD-PARTY COMPONENT VULNERABILITIES

The software contains other vulnerabilities from third parties including 
operating systems, networking equipment, and network time protocol that could
enable an attacker to cause a denial-of-service, execute arbitrary code, 
inject network packets, obtain sensitive information, and/or gain unauthorized
privileges to impact system confidentiality, integrity, or availability.

CVSS v3 base scores for these vulnerabilities range from 5.0 (medium) to 9.3 
(critical).

VULNERABILITY DETAILS

EXPLOITABILITY

Some of the affected vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

Public exploits exist for some of these vulnerabilities, however, none are 
known to specifically target Philips iSite or IntelliSpace PACS.

DIFFICULTY

An attacker with a low skill level would be able to exploit these 
vulnerabilities.

MITIGATION

Philips IntelliSpace PACS runs in a managed service environment to minimize 
the risk of exploitation (virtual private network, firewall isolation from 
other networks, no internet access). In addition, Philips employs an automated
antivirus solution that continuously monitors and remediates threats across 
all systems in the managed service environment. Philips has a monthly 
recurring patch program in which all IntelliSpace PACS users are encouraged to
participate.

In addition, in 2016 Philips announced software updates and controlling 
mitigations on the affected PACS systems to further limit the risk and 
exploitability of these vulnerabilities.

Philips recommends three paths that users may select depending on their 
particular situation, which are offered by Philips at no charge for full 
service delivery model contracts:

    The simplest and most straightforward option is to enroll in the Philips 
recurring patching program, which will remediate 86% of all known 
vulnerabilities.

    A more robust option is to enroll in the Philips recurring patching 
program and update system firmware. This option will remediate 87% of all 
known vulnerabilities including all known critical vulnerabilities.

    The most robust option by Philips is to enroll in the recurring patching 
program and update system firmware and upgrade to IntelliSpace PACS 4.4.55x 
with Windows operating system 2012, which addresses product hardening. This 
option remediates 99.9% of all the known vulnerabilities including all 
critical vulnerabilities.

Philips will continue to add cybersecurity vulnerability remediation 
improvements through our Secure Development Lifecycle (SDL) as threats 
continue.

Users with questions regarding their specific iSite/IntelliSpace PACS 
solutions are advised by Philips to contact their Customer Success Manager 
(CSM), local Philips service support team, or regional service support. 
Philips contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions 
(link is external)

Please see the Philips product security website for the latest security 
information for Philips products: https://www.philips.com/productsecurity 
(link is external)

NCCIC recommends users take defensive measures to minimize the risk of 
exploitation of these vulnerabilities. Specifically, users should:

    Minimize network exposure for all control system devices and/or systems, 
and ensure that they are not accessible from the Internet.

    Locate all medical devices and remote devices behind firewalls, and 
isolate them from the business network.

    When remote access is required, use secure methods, such as Virtual 
Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and 
should be updated to the most current version available. Also recognize that 
VPN is only as secure as the connected devices.

NCCIC also provides a section for control systems security recommended 
practices on the ICS-CERT web page. NCCIC reminds organizations to perform 
proper impact analysis and risk assessment prior to deploying defensive 
measures.

Additional mitigation guidance and recommended practices are publicly 
available in the NCCIC Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to NCCIC for 
tracking and correlation against other incidents.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsRb/4x+lLeg9Ub1AQgG+hAApjexitzAvqBVGY2IlvVDLa/mlHhKk3TX
IWhANHvgWi+H/h0/bT9EqFDBLZHK17qLg0md4ZfrptfJ4BqplXtbgK+2KSADQXzo
+YgTFOpTivH49s4zXnlihySYwfZI2hPvdqBZukPMYcheRhQuyPynxMTcAXCLWqdg
HEuHFwV2wzqBMFrHQG2w/w3CRfwNUvfwhreLP+RlmfeKGtoq46zzzT6EJIFPP1zn
VY4/JkTVr3ThgUalx7VO6qLHpc6DhKNd5EyYdBBvD/6kYvsjnKI66A8zFnUzlcEp
4b+VtqeGRWQH1M30V0t+ekqrgozs8xt/10CraioUYUNivO5acHjx0W0Vfe4T0900
Zt/se1CaW1I5UldM56OI2TaVrI5THpOkG/ikIzrvcKzW+5mVieDPv9nT5s7o6Bte
jyXRT0jwia3DOTeV/yK73ExusXICojlKYAsUZ28Xx1RcESSen5jSYMnMA6lzZnmI
yYJ2yuaSQTmgTWYFl3aiO6qReqiOu9b1DjaERZRu33zxiUQcat0OeCsShCMVMIGN
tcb0jHt8SpYhN1WCROG40qXr6NYSQcmspuGm78ltzk4gsXXw2jmQoM5uWBNxPNOz
1G/rV5oCNF/n5wR03zINEbratohLwqOBTznG+TbNP6cH3H3CDie9fxSb3HtW3Pyh
wCeVXkKXI40=
=Z6ad
-----END PGP SIGNATURE-----

« Back to bulletins