A variety of Philips medical device exposure security bugs

Medigate, a medical device security company in Israel, Philips, and ICS-CERT has issued announcements, revealing serious vulnerabilities in the Philips patient monitor. Affected devices include Philips IntelliVue MP and MX series, Avalon fetal monitors (FM20, FM30, FM40, and FM50).

Medigate’s researchers found three vulnerabilities in the Philips device:

• IMPROPER AUTHENTICATION CWE-287
  The vulnerability allows an unauthenticated attacker to access memory (“write-what-where”) from an attacker-chosen device address within the same subnet.

  CVE-2018-10597 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

• STACK-BASED BUFFER OVERFLOW CWE-121
  The vulnerability exposes an “echo” service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is copied to the stack with no boundary checks, hence resulting in stack overflow.

  CVE-2018-10601 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H).

• INFORMATION EXPOSURE CWE-200
  The vulnerability allows an unauthenticated attacker to read memory from an attacker-chosen device address within the same subnet.

  CVE-2018-10599 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L).

Medigate states that these vulnerabilities allow unauthenticated remote attackers to write memory on the device, which may allow remote code execution. Successful exploitation of these vulnerabilities could allow an attacker to read and/or write memory to cause a denial of service problem, or to leak patient health information (PHI) and even undermine the integrity of patient data.

Philips stated in the security bulletin that the use of these vulnerabilities requires extensive technical knowledge and skills as well as access to the LAN hosting the affected devices, and stated that no reports on exploits have been received and no specific vulnerability has been identified. Publicly available code.

Philips is expected to release patches in the second and third quarters of 2018. At the same time, Philips recommends that users understand the safety and network configuration guidelines for risk reduction.