-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0892
        Advisory (ICSMA-18-086-01) Philips Alice 6 Vulnerabilities
                               28 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Philips Alice
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Unauthorised Access    -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2018-7498 CVE-2018-5451 

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-18-086-01) Philips Alice 6 Vulnerabilities

Original release date: March 27, 2018

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

Philips has identified improper authentication and missing encryption of 
sensitive data vulnerabilities in the Philips Alice 6 System product. Philips
scheduled a new product version release and supporting product documentation 
in December 2018. For all users of the Alice 6 System product, Version R8.0.2
or prior, Philips will update the devices to R8.0.3. This update will 
introduce encryption of data in transit and at rest, and stop transmission of
clear text usernames and passwords.

AFFECTED PRODUCTS

The following versions of the 6 System are affected:

    Version R8.0.2 or prior.

IMPACT

Successful exploitation may allow an attacker to gain visibility to 
usernames/passwords and personal data. Insufficient encryption and 
cryptographic integrity checks can lead to altered, corrupted, or disclosed 
sensitive data. Disclosure of personal data can occur by replacing a trusted 
node with a malicious node.

Impact to individual organizations depends on many factors that are unique to
each organization. NCCIC recommends organizations evaluate the impact of these
vulnerabilities based on their operational environment and specific clinical 
usage.

BACKGROUND

Philips is a global company that maintains offices in several countries around
the world, including countries in Africa, Asia, Europe, Latin America, Middle
East, and North America.

The affected product, Philips AliceNe 6, is a Polysomnography System (PSG) that
is intended to record, display, and print physiological information to 
clinicians/physicians. According to Philips, Alice 6 is deployed across the 
Healthcare and Public Health sectors. Philips estimates this product is used 
in 50 countries around the world, including the United States and other 
countries within Asia Pacific, Europe, the Middle East, and North America.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER AUTHENTICATION CWE-287

When an actor claims to have a given identity, the software does not prove or
insufficiently proves that the claim is correct. This weakness can lead to the
exposure of resources or functionality to unintended actors, possibly 
providing attackers with sensitive information or the ability to execute 
arbitrary code.

CVE-2018-5451 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is 
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

The lack of proper data encryption passes up the guarantees of 
confidentiality, integrity, and accountability that properly implemented 
encryption conveys.

CVE-2018-7498 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is 
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

Exploits that target these vulnerabilities are publicly available.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Philips will notify users of the identified vulnerabilities and will 
coordinate with the users to schedule updates. Philips is scheduled to release
a new product version and supporting product documentation in December 2018. 
For all users of the Alice 6 System product, version R8.0.2 or prior, Philips
will update the devices to R8.0.3. Philips encourages users to use Philips 
validated and authorized changes only for the Alice 6 device supported by 
Philips authorized personnel or under Philips explicit published directions 
for patches, updates, or releases.

As an interim mitigation to the vulnerabilities until the update can be 
applied, Philips recommends that users:

    Ensure that network security best practices are implemented, and

    Limit network access to Alice 6 in accordance with product documentation.

Users with questions regarding their specific Alice 6 installations should 
contact their local Philips service support team or their regional Alice 6 
service support. Contact information is available at the following location:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions 
(link is external)

NCCIC recommends users take defensive measures to minimize the risk of 
exploitation of these vulnerabilities. Specifically, users should:

    Ensure that non-product related software packages, such as email and web 
browser software, are not installed on medical devices, as they could contain
vulnerabilities, malware, and broaden the attack surface, which could impact 
the intended function of the device.

    Minimize network exposure for all control system devices and/or systems; 
ensure that they are not accessible from the Internet.

    Locate all medical devices and remote devices behind firewalls; isolate 
them from the business network.

    When remote access is required, use secure methods, such as Virtual 
Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and 
should be updated to the most current version available. Also recognize that 
VPN is only as secure as the connected devices.

NCCIC also provides a section for control systems security recommended 
practices on the ICS-CERT web page. NCCIC reminds organizations to perform 
proper impact analysis and risk assessment prior to deploying defensive 
measures.

Additional mitigation guidance and recommended practices are publicly 
available in the NCCIC Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to NCCIC for 
tracking and correlation against other incidents.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWrsH9ox+lLeg9Ub1AQhm/g/+PhZIG7LF3ayhe30BBxb+huORhK3vWB83
Liz8XUncfiUwyOdGypbtMyncIHPCxwB6G6Wg6RX9JPpODU8+/6fQ8iM8lgdRdF8A
Y5ixwuoZQtyOUGvBgk7OebcL+8DXrua3L9Fg+JVHOANk91sPDsA0GnDFnoFaO0HT
k6RVxZo9Pv3I2uSj6WUfl6RYwJjwA8JWLIJAHiQmsr1ywiTtq4BjcEVcA/+XW0KO
DREALOg3U4HgXeSKVERpglxq6QTkfOJtYXVFwayzgP+KXbDykRSEfq8TnuXQ1Yko
582RhHcpWuRanjE1Xj7+hI/DACED1d5jD1SFPKf7C2urIVEBYfPXs5683ElFzC2O
w0mVUSKNS8zXnZCHgRJn60hG4jrUIzRYrE7u5bhsh+H4aDE1RCXzWebtpf047A9z
PzAJ5gdP3zxupiVSGGGIGRFe1j0sRGwyASdG1AwWLlD+DMSgaqYlp/uRJdth6o2a
nvWfCl5VMHNChYqPi+kvfv1v816+0LhkDowGG9hkVjmaeda9na/g/kFnePu5cK1o
dy5tk0HipldfFX7567cN+VfAl1c1/bdFc6QdgEPGt3esVIF8gMTGOzGDXin7jLl4
GuI2yLIidbSQ+P2pQ8cQkmOPG8gxnQVDTjpXjlVp45j+wMRrpW0gMCCIlWFXKRSH
IwyOsuMtufA=
=20EX
-----END PGP SIGNATURE-----