A number of vulnerabilities found in certain Philips patient monitoring devices could enable an attacker with either access to the medical device network or physical access to perform a number of malicious activities, including accessing patient data, according to a Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert.
The advisory is an update to a September 2020 alert titled ICSMA-20-254-01, which detailed several serious flaws in a range of Philips patient monitoring devices. The new alert sheds further details on the flaws, as well as mitigation measures to remediate some of the risk and expands the types of impacted devices.
The eight flaws are found in multiple versions of Philips Patient Information Center iX, PerformanceBridge Focal Point, IntelliVue Patient Monitors MX100, and IntelliVue X2, and X3, four of which are ranked as medium severity.
All of the devices either fail to check or improperly verify the revocation status of a certificate, which could allow the device to use a compromised certificate. MITRE’s vulnerability resource explains that “an improper check for certificate revocation is a far more serious flaw than related certificate failures… as the use of any revoked certificate is almost certainly malicious.”
“The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync,” according to MITRE. “This weakness is caused during implementation of an architectural security tactic.”
“When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete,” it added.
The vulnerability could also allow trust to be assigned to an unverified entity, as well as enable data from an untrusted or possibly malicious source to be integrated with legitimate data. It could also allow data to be disclosed to a user impersonating a trusted entity, thus leading to an unauthorized disclosure of data.
The most severe flaw affects the Patient Information Center, which exposes a resource to the wrong control sphere and unintentionally gives unauthorized actors inappropriate access. It’s caused by a surveillance station application that operates in kiosk mode. An actor could then escape the restricted environment with only limited privileges.
To exploit the flaw, however, an attacker would need to have physical access.
Another Patient Information Center vulnerability enables the software to parse a formatted message or structure without handling or incorrectly allowing a field length inconsistent with the actual length of associated data, which can cause the surveillance station app to restart.
Meanwhile, an improper input validation flaw found in a range of IntelliVue patient monitors incorrectly validates whether input data holds the properties required to safely and correctly process data received by the device. As such, an exploit could spur a denial-of-service condition through a system restart.
Five researchers from the Netherlands discovered the vulnerabilities and reported them to the Federal Office for Information Security in Germany, then notified Philips. The vendor intends to release a software update to remediate the vulnerabilities.
For now, entities should apply Philips’ recommended mitigation steps to reduce the risk of exploitation, which includes requiring the patient monitoring network to be physically or logically isolated from the hospital’s local area network (LAN).
Firewalls or routers should implement access control lists to restrict access to only necessary ports and IP addresses both in an out of the patient monitoring network. Philips also noted that the simple certificate enrollment protocol (SCEP) service does not run, by default, and “the service is configured to run based on the duration or the number of certificates to be assigned.”
However, one certificate is default, so the service will continue to run if a certificate is not issued. Administrators can limit the exposure “by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.”
Administrators should also input a unique, challenge password made up of eight to 12 randomized and unpredictable digits when enrolling new devices through the SCEP.
Further, all impacted devices should be equipped with physical security controls to prevent unauthorized login attempts, with servers stored in controlled and locked data centers. Philips added that access to nurse station equipment should also be monitored and controlled.
Admins should also consider the access controls for the Patient Information Center, by only granting remote access on a “must-have basis” according to their role and only providing login privileges to the impacted devices on a least-privilege, role-based basis to trusted users.
CISA also further urged entities to implement physical security measures to limit or control access to critical systems, while restricting access to only authorized personnel and disabling unnecessary accounts and services.