Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3140
Advisory (icsma-20-254-01) Philips Patient Monitoring Devices
14 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Philips Patient Monitoring Devices
Publisher: ICS-CERT
Operating System: Network Appliance
Windows
Impact/Access: Increased Privileges -- Console/Physical
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Mitigation
CVE Names: CVE-2020-16228 CVE-2020-16224 CVE-2020-16222
CVE-2020-16220 CVE-2020-16218 CVE-2020-16216
CVE-2020-16214 CVE-2020-16212
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Medical Advisory (ICSMA-20-254-01)
Philips Patient Monitoring Devices
Original release date: September 10, 2020
Legal Notice
All information products included in https://us-cert.gov/ics are provided"as
is" for informational purposes only. The Department of Homeland Security (DHS)
does not provide any warranties of any kind regarding any information contained
within. DHS does not endorse any commercial product or service, referenced in
this product or otherwise. Further dissemination of this product is governed by
the Traffic Light Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.8
o ATTENTION: Low skill level to exploit
o Vendor: Philips
o Equipment: Patient Information Center iX (PICiX); PerformanceBridge Focal
Point; IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90; and
IntelliVue X2, and X3
o Vulnerabilities: Improper Neutralization of Formula Elements in a CSV File,
Cross-site Scripting, Improper Authentication, Improper Check for
Certificate Revocation, Improper Handling of Length Parameter
Inconsistency, Improper Validation of Syntactic Correctness of Input,
Improper Input Validation, Exposure of Resource to Wrong Sphere
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in unauthorized
access, interrupted monitoring, and collection of access information and/or
patient data.
Note : To successfully exploit these vulnerabilities, an attacker would need to
gain either physical access to surveillance stations and patient monitors or
access to the medical device network.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of the patient monitoring devices are affected:
o Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
o PerformanceBridge Focal Point Version A.01
o IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and
prior
o IntelliVue X3 and X2 Versions N and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF FORMULA ELEMENTS IN A CSV FILE CWE-1236
The software saves user-provided information into a comma-separated value (CSV)
file, but it does not neutralize or incorrectly neutralizes special elements
that could be interpreted as a command when the file is opened by spreadsheet
software.
CVE-2020-16214 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:H/UI:R/S:C/
C:L/I:L/A:N ).
Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
The software does not neutralize or incorrectly neutralizes user-controllable
input before it is placed in output that is then used as a webpage and served
to other users. Successful exploitation could lead to unauthorized access to
patient data via a read-only web application.
CVE-2020-16218 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:U/
C:L/I:N/A:N ).
Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.
3.2.3 IMPROPER AUTHENTICATION CWE-287
When an actor claims to have a given identity, the software does not prove or
insufficiently proves the claim is correct.
CVE-2020-16222 has been assigned to this vulnerability. A CVSS v3 base score of
5.0 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/
C:L/I:L/A:L ).
Affects the following products: Patient Information Center iX (PICiX) Version
B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01.
3.2.4 IMPROPER CHECK FOR CERTIFICATE REVOCATION CWE-299
The software does not check or incorrectly checks the revocation status of a
certificate, which may cause it to use a compromised certificate.
CVE-2020-16228 has been assigned to this vulnerability. A CVSS v3 base score of
6.0 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:H/UI:N/S:U/
C:H/I:H/A:L ).
Affects the following products: Patient Information Center iX (PICiX) Versions
C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient
monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and
prior.
3.2.5 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130
The software parses a formatted message or structure but does not handle or
incorrectly handles a length field that is inconsistent with the actual length
of the associated data, causing the application on the surveillance station to
restart.
CVE-2020-16224 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
Affects the following products: Patient Information Center iX (PICiX) Versions
C.02, C.03.
3.2.6 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286
The product receives input that is expected to be well-formed (i.e., to comply
with a certain syntax) but it does not validate or incorrectly validates that
the input complies with the syntax, causing the certificate enrollment service
to crash. It does not impact monitoring but prevents new devices from
enrolling.
CVE-2020-16220 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/
C:N/I:N/A:L ).
Affects the following products: Patient Information Center iX (PICiX) Versions
C.02, C.03, PerformanceBridge Focal Point Version A.01.
3.2.7 IMPROPER INPUT VALIDATION CWE-20
The product receives input or data but does not validate or incorrectly
validates that the input has the properties required to process the data safely
and correctly, which can induce a denial-of-service condition through a system
restart.
CVE-2020-16216 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
Affects the following products: IntelliVue patient monitors MX100, MX400-550,
MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions
N and prior.
3.2.8 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
The product exposes a resource to the wrong control sphere, providing
unintended actors with inappropriate access to the resource. The application on
the surveillance station operates in kiosk mode, which is vulnerable to local
breakouts that could allow an attacker with physical access to escape the
restricted environment with limited privileges.
CVE-2020-16212 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:P/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
Affects the following products: Patient Information Center iX (PICiX) Versions
B.02, C.02, C.03.
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Netherlands
3.4 RESEARCHER
Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver
Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to
the Federal Office for Information Security (BSI), Germany, in the context of
the BSI project ManiMed (Manipulation of medical devices), which reported these
to Philips.
4. MITIGATIONS
Philips plans a new release to remediate all reported vulnerabilities:
o Patient Information Center iX (PICiX) Version C.03 by end of 2020
o PerformanceBridge Focal Point by Q2 of 2021
o IntelliVue Patient Monitors Versions N.00 and N.01 in Q1 of 2021
o IntelliVue Patient Monitors Version M.04 by end of 2021
o Certificate revocation within the system will be implemented in 2023
As a mitigation to these vulnerabilities, Philips recommends the following:
o The Philips patient monitoring network is required to be physically or
logically isolated from the hospital local area network (LAN). Philips
recommends using a firewall or routers that can implement access control
lists restricting access in and out of the patient monitoring network for
only necessary ports and IP addresses. Refer to the Philips Patient
Monitoring System Security for Clinical Networks guide for additional
information on InCenter .
o By default, the simple certificate enrollment protocol (SCEP) service is
not running. When needed, the service is configured to run based on the
duration or the number of certificates to be assigned. One certificate is
default, but if a certificate is not issued, the service will continue to
run. Limit exposure by ensuring the SCEP service is not running unless it
is actively being used to enroll new devices.
o When enrolling new devices using SCEP, enter a unique challenge password of
8-12 unpredictable and randomized digits.
o Implement physical security controls to prevent unauthorized login attempts
on the PIC iX application. Servers should be kept in controlled locked data
centers. Access to equipment at nurses' stations should be controlled and
monitored.
o Only grant remote access to PIC iX servers on a must-have basis.
o Grant login privileges to the bedside monitor and PIC iX application on a
role-based, least-privilege basis, and only to trusted users.
Users with questions regarding their specific Philips Patient Information
Center (PIC iX) and/or IntelliVue patient monitor installations and new release
eligibility should contact their local Philips service support team, or
regional service support, or call 1-800-722-9377.
Please see the Philips product security website for the Philips advisory and
the latest security information for Philips products.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Implement physical security measures to limit or control access to critical
systems.
o Restrict system access to authorized personnel only and follow a least
privilege approach.
o Apply defense-in-depth strategies.
o Disable unnecessary accounts and services.
o Where additional information is needed, refer to existing cybersecurity in
medical device guidance issued by the FDA .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX17Lm+NLKJtyKPYoAQj90Q/7B0JckJCRWLi2dWbv4zWUPDmpoxhTMdvy
u5a3EgNKJVdszkAijDpQ8zhstZq0ax7j7eKFFNd3zD7WtHASrzLDFKABitCYrSRT
GDci3baG+jJG87ooCy5r/59e8ehcmMBwLJdGB827egXiPK+/0xtTtpA7CERmMks6
9tGGvrxO4qPu7DlAGSXNNLw//21eYATKnqST85l0kLXuVUWciKdsMQ+Z7B9DuUvc
BDJbd2I+3ltDf34m13sH73KqaQ1JN0ctuIN9uWj0x8tArP+0W1yvQegLzuNC5fZ/
sp9aeSl83SnyxvHhijSXy2oKKrU0JM7pjRZFoWb9GQEQyA9l9EO4mxI3G2KFm+jU
YcJkrbqQ3kayxIpkh4XY90BuRYVUnb4B7opwMTE9AK5lWMd7TAUrYzmrGQSKBnlf
EGQlBVtr2hABiB5oUfVEoIaODv7wBhTWxfNFxjY71yXPfThF+IUjmOrCYdKgx053
7UZRVlr6mHUZ66MN6nVNhOm+aXmDU+Pt8vsYYuvkgC9THo7T8nXu9pWukOOvHqqC
iKtZZhbb1+9fMlA0GrFm/sQ4WB9wP3csEbvQAI0RHDC89Xry/ILUaEAoQGCHbRt7
6nCwt3UXRfOycQjEdmgWhkbbq2JJx1TqyllFZdOAaPvAMmcgxF5nTHjcJKENTmZ+
Zh9pceBvO6s=
=nrby
-----END PGP SIGNATURE-----