Various protection vulnerabilities have been disclosed in Philips Clinical Collaboration System Portal (aka Vue PACS), some of which could be exploited by an adversary to choose handle of an affected technique.
“Productive exploitation of these vulnerabilities could enable an unauthorized particular person or process to eavesdrop, perspective or modify info, attain procedure obtain, accomplish code execution, set up unauthorized computer software, or have an effect on method data integrity in these kinds of a way as to negatively impression the confidentiality, integrity, or availability of the method,” the U.S. Cybersecurity and Infrastructure Protection Agency (CISA) famous in an advisory.
The 15 flaws influence:
- VUE Photograph Archiving and Communication Devices (versions 12.2.x.x and prior),
- Vue MyVue (versions 12.2.x.x and prior),
- Vue Speech (variations 12.2.x.x and prior), and
- Vue Movement (versions 220.127.116.11 and prior)
Four of the challenges (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been presented a Prevalent Vulnerability Scoring Procedure (CVSS) base score of 9.8, and issue incorrect validation of input facts as perfectly as vulnerabilities launched by flaws previously patched in Redis.
An additional critical flaw (CVE-2021-33020, CVSS rating: 8.2) is prompted by the Vue platform’s use of cryptographic keys outside of their set up expiration date, “which diminishes its safety substantially by expanding the timing window for cracking attacks against that key.”
Other weaknesses entail the use of a damaged or dangerous cryptographic algorithm (CVE-2021-33018), a cross-internet site scripting assault when dealing with user-controllable enter (CVE-2015-9251), insecure strategies to defend authentication qualifications (CVE-2021-33024), improper or incorrect initialization of means (CVE-2018-8014), and a failure to observe coding benchmarks (CVE-2021-27501) that could maximize the severity of the other vulnerabilities.
Whilst Philips has dealt with some of the shortcomings as part of its updates transported in June 2020 and May possibly 2021, the Dutch healthcare firm is envisioned to patch the rest of the protection problems in version 15 of Speech, MyVue, and PACS that’s at present in improvement and established for release in Q1 2022.
In the interim, CISA is urging entities to limit network exposure for all manage method products and assure that they are not obtainable from the World wide web, phase regulate method networks and distant products driving firewalls, and use digital non-public networks (VPNs) for safe remote obtain.