The United States Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Tuesday informing enterprises about 15 security vulnerabilities affecting Philips Vue healthcare products.
According to CISA, the vulnerabilities which exist in third-party components affect many Philips Clinical Collaboration Platform Portal (Vue PACS) products, including MyVue, Vue Speech, and Vue Motion. Many of the flaws are in third-party components.
Improper input validation, memory bugs, improper authentication, insecure/improper resource initialization, use of expired cryptographic keys, use of weak cryptographic algorithms, improper use of protection mechanisms, data integrity issues, cross-site scripting (XSS), improperly protected credentials, and cleartext transmission of sensitive data are all related of security vulnerabilities.
The CISA said in its advisory “Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,”
Seven of the 15 flaws appear to be unique to Philips products, with the remaining affecting third-party components like Redis, 7-Zip, Oracle Database, jQuery, Python, and Apache Tomcat.
Between 2012 and 2020, the vulnerabilities in third-party components were discovered. The security vulnerabilities related to Philips have 2021 CVE identifiers.
Four of the flaws have been classified critical, while four have been rated as having a high severity. The rest are categorised as being of medium or low severity.
Some of the vulnerabilities have been patched, according to CISA, but others will not be patched until the first quarter of 2022. Meanwhile, organizations can mitigate to lower the risk of exploitation.
While CISA mentions a Philips security advisory, the electronics company does not appear to have issued a public statement.
CISA said “CISA encourages users and administrators to review the ICS medical advisory ICSMA-21-187-01 Philips Vue PACS and to apply the necessary updates or workarounds,”