ESB-2018.1381 - [Win] Philips Brilliance Computed Tomography (CT) System: Multiple vulnerabilities 2018-05-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1381
            Philips Brilliance Computed Tomography (CT) System
                                4 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Philips Brilliance Computed Tomography (CT) System
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Increased Privileges     -- Console/Physical
                   Access Confidential Data -- Console/Physical
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8861 CVE-2018-8857 CVE-2018-8853

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-18-123-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-18-123-01)

Philips Brilliance Computed Tomography (CT) System

Original release date: May 03, 2018

Legal Notice

All information products included in http://ics-cert.us-cert.gov are
provided "as is" for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product or
service, referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the header.
For more information about TLP, see http://www.us-cert.gov/tlp/.

1. EXECUTIVE SUMMARY

  o CVSS v3 8.4
  o ATTENTION: Low skill level to exploit.
  o Vendor: Philips
  o Equipment: Brilliance CT Scanners
  o Vulnerabilities: Execution with Unnecessary Privileges, Exposure of
    Resource to Wrong Sphere, Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker to
attain elevated privileges and access unauthorized system resources, including
access to execute software or to view/update files including patient health
information (PHI), directories, or system configuration. This could impact
system confidentiality, system integrity, or system availability. Philips has
received no reports of exploitation or incidents from clinical associated with
these vulnerabilities.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Philips reports that the vulnerabilities affect the following Brilliance CT
Scanners:

  o Brilliance 64 version 2.6.2 and below,
  o Brilliance iCT versions 4.1.6 and below,
  o Brillance iCT SP versions 3.2.4 and below, and
  o Brilliance CT Big Bore 2.3.5 and below.

3.2 VULNERABILITY OVERVIEW

3.2.1   EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

Philips Brilliance CT devices operate user functions from within a contained
kiosk in a Microsoft Windows operating system. Windows boots by default with
elevated Windows privileges, enabling a kiosk application, user, or an attacker
to potentially attain unauthorized elevated privileges. Also, attackers may
gain access to unauthorized resources from the underlying Windows operating
system.

CVE-2018-8853 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H
/I:L/A:L).

3.2.2   EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668

Vulnerabilities within the Brilliance CT kiosk environment could enable a
limited-access kiosk user or an unauthorized attacker to break-out from the
containment of the kiosk environment, attain elevated privileges from the
underlying Windows OS, and access unauthorized resources from the operating
system.

CVE-2018-8861 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H
/I:L/A:L).

3.2.3   USE OF HARD-CODED CREDENTIALS CWE-798

The software contains fixed credentials, such as a password or cryptographic
key, which it uses for its own inbound authentication, outbound communication
to external components, or encryption of internal data. An attacker could
compromise these credentials and gain access to the system.

CVE-2018-8857 has been assigned to this vulnerability. A CVSS v3 base score of
8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H
/I:H/A:H).

3.3 BACKGROUND

  o Critical Infrastructure Sectors: Healthcare and public Health
  o Countries/Areas Deployed: Worldwide
  o Company Headquarters Location: U.S.

3.4 RESEARCHER

Philips reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Philips has identified the following guidance and controlling risk mitigations:

  o Users should operate all Philips deployed and supported Brilliance CT
    products within Philips authorized specifications, including Philips
    approved software, software configuration, system services, and security
    configuration such as firewall operations.
  o Philips also recommends users implement a comprehensive, multi-layered
    strategy to protect their systems from internal and external security
    threats, including restricting physical access of the scanner to only
    authorized personnel, thus reducing the risk of physical access being
    compromised by an unauthorized user.

Philips has also remediated hard-coded credential vulnerabilities for
Brilliance iCT 4.x and above versions. The Philips iCT-iPatient (v4.x) family
Instructions for Use (IFU) refers to the ability to manage credentials and is
accessible from Philips InCenter at https://incenter.medical.philips.com for
entitled users.

Philips will be further assessing options for remediation with future product
introductions and/or upgrades across the Brilliance CT modality to address
these identified security vulnerabilities. Users with questions about their
specific Brilliance CT product should contact their local Philips service
support team or their regional service support. Contact information is
available at the following location:

http://www.usa.philips.com/healthcare/solutions/customer-service-solutions

The Philips' advisory is available at the following URL:

http://www.philips.com/productsecurity (link is external)

NCCIC recommends that users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should follow these
measures:

  o Do not click web links or open unsolicited attachments in email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.
  o Locate medical devices behind firewalls, and isolate them from the business
    network.

NCCIC reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available
on the ICS-CERT website in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies.

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://
ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWuv8MIx+lLeg9Ub1AQg6Pw/+JFjiZjf6zmaQIgYZG6PaDFYVyc7lbSb4
Rf0aJo8pHjCY1TquxQCtJkSVyT/37Nq8fpR40Nxr/IKF/to56PjN6L+NufKh5iav
Q6yfVkLdm/y3FgGQJC2B5WBraGjkGJROWZrMH5uF48XdmZbgyrrxOW6ovhj83Ay1
qpjhUyaY1UxQY0ghykT20XfYwscPqfOaFP/WLf8U055HYLn7p9JCrgYNQ+vI/7SG
BoMcRThPspIXZITumibEXj109hgCF7rbsci4pUlaayoq+QrU5l2SSVqXPzjGLQFB
0Hs0Kya0fOiZ0CmIbJGqfypZe5WQFezTmSj+kjE2L58Z4Rj/RuiWUDbgtSQK5X+D
MmHfbrEvdtlHeIv1rG/jxhRRL/qXP+R2fjshuvN1Y6NKQ8ymefWsdvzFEp9mu8kc
lX/BzvKp3QuYfOboi0Nx3yRLMnWfkXoLb4kiAZkjhs+oPJX/xiv9D0egFS23W9NJ
3UXEbwM5OxbL8HI9WfSAoIn5LAvmztcnRrW6B5j7dKENzF9DseMO1rGGMOZ7J58O
eIZjRHiL32gUA4MKoMlLCXPoMgLhq0Cc7DNOtxY9T6jJBnaVSjpKXwyy6at+19mt
OvWQsZrRa9I/lkK7KulICCFDbkXk79es3DYFaeRGhTllPmV8iqxPNNd1OCPgYXE5
H4v44c7sg/4=
=uern
-----END PGP SIGNATURE-----

« Back to bulletins