Philips Discloses Multiple VUE PACS Vulnerabilities: Healthcare Sector Walking on Thin Ice
2024-7-23 13:46:23 Author: cyble.com(查看原文) 阅读量:8 收藏

Internet Exposed VUE PACS a Storm Brewing in Hindsight

On July 18, 2024, Philips issued a security advisory addressing vulnerabilities within Philips Vue Picture Archiving and Communication System (PACS) versions prior to 12.2.8.410.  

The Philips Vue PACS is a sophisticated medical imaging solution used to manage, store, and transmit digital medical images and reports. Primarily employed in hospitals, diagnostic imaging centers, and other healthcare facilities, this system facilitates the storage and retrieval of images from multiple modalities such as X-rays, MRI, CT scans, and ultrasound. The PACS integrates with Electronic Medical Records (EMR) and Radiology Information Systems (RIS), allowing healthcare professionals to access and share patient images and reports seamlessly, improving diagnostic accuracy and patient care. 

By streamlining workflows and improving access to critical imaging data, Philips Vue PACS is intended to enhance clinical decision-making and operational efficiency in the Healthcare and Public Health Sectors. 

Among the thirteen vulnerabilities disclosed by Philips to government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), the majority of vulnerabilities fall under the High and Critical severity category (as shown in Table 1). 

Cyberattacks targeting the healthcare sector are on the rise, posing significant threats to patient safety, data privacy, and the operational stability of medical institutions. Recent vulnerabilities, such as those identified in Philips Vue PACS, exacerbate these risks, making healthcare systems more susceptible to exploitation. Upon successful exploitation, attackers could potentially gain unauthorized access to sensitive patient data, disrupt critical medical services, and even manipulate diagnostic information.   

The table below provides details on the recent vulnerabilities. 

CVE Vulnerability Type CVSS 3.1 CVSS4 
CVE-2020-36518 Out of Bonds Write 5.3 7.1 
CVE-2020-11113 Deserialization of Untrusted Data 8.8 7.1 
CVE-2020-35728 Deserialization of Untrusted Data 8.1 9.3 
CVE-2021-20190 Deserialization of Untrusted Data 8.1 9.3 
CVE-2020-14061 Deserialization of Untrusted Data 8.1 9.3 
CVE-2020-10673 Deserialization of Untrusted Data 8.8 8.7 
CVE-2019-12814 Deserialization of Untrusted Data 5.9 8.7 
CVE-2017-17485 Deserialization of Untrusted Data 9.8 9.3 
CVE-2021-28165 Uncontrolled Resource Consumption 7.5 8.8 
CVE-2023-40704 Use of Default Credentials 7.1 8.4 
CVE-2023-40539 Weak Password Requirement 4.4 4.8 
CVE-2023-40159 Exposure of Sensitive Information to an Unauthorized Actor 8.2 8.8 

Table 1: Vulnerability details of Philips VUE PACS 

Patch Details 

For vulnerabilities CVE-2020-36518, CVE-2020-11113, CVE-2020-35728, CVE-2021-20190, CVE-2020-14061, CVE-2020-10673, CVE-2019-12814, CVE-2017-17485, CVE-2023-40223, and CVE-2023-40159, Philips recommends upgrading to the latest Vue PACS version 12.2.8.400* released in August 2023. –  Link

For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommends upgrading to the Vue PACS version 12.2.8.410* released in October 2023 – Link

For CVE-2023-40704 and CVE-2023-40539, Philips recommends configuring the Vue PACS environment per 8G7607 – Vue PACS User Guide Rev G available on Incenter – Link.  

Philips VUE PACS’ Internet Exposure 

The disclosed vulnerabilities (Table 1) can be exploited remotely and have low attack complexity. Hence, Cyble Research and Intelligence Labs (CRIL) investigated the impacted product’s internet exposure and observed the 495 internet-exposed Philips VUE PACS

It was observed that Brazil and the United States had the highest number of Philips VUE PACs exposure; the graph below provides insights into the Top 5 countries with the highest number of exposures.  

image 16

CRIL’s investigation discovered that the internet-exposed PACs are being used by multiple Healthcare facilities globally, as shown in the screenshot below. 

Figure 1 Screenshot indicating VUE PACs utilized by Healthcare facilities

Figure 1– Screenshot indicating VUE PACs utilized by Healthcare facilities 

Conclusion 

The Healthcare and Public Health sectors are vastly dependent on Picture Archiving and Communication Systems (PACs) due to their nature of operations within this environment; at the same time, the operations performed via PACs become a lucrative target for Threat Actors (TAs).  

The recent vulnerabilities within Philips VUE PACs and the affected product’s internet exposure might be leveraged by TAs in the near future for data breaches that compromise patients’ privacy, undermine trust in healthcare institutions, and even jeopardize patient safety by delaying critical medical diagnoses and treatments.  

Therefore, regular patching and updating of PACS are essential steps that need to be continuously taken to verify the security and integrity of healthcare operations, protect patient information, and maintain the overall resilience of healthcare services. 

Recommendations 

Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately. 

Implement proper network segmentation to avoid exposing critical assets over the Internet: Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats. 

Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats. 

Vulnerability Assessment and Penetration Testing (VAPT) exercises and auditing: Conduct regular VAPT exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards. 

Enhance your visibility into your organization’s external and internal assets: Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment. 

References: 

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01
https://www.philips.com/a-w/security/security-advisories.html

Related


文章来源: https://cyble.com/blog/philips-discloses-multiple-vue-pacs-vulnerabilities-healthcare-sector-walking-on-thin-ice/
如有侵权请联系:admin#unsafe.sh