Phillips clinical imaging solution plagued by vulnerabilities

Phillips is developing a software update to mitigate 35 CVE-numbered vulnerabilities in the Philips IntelliSpace Portal (ISP), a clinical imaging visualization and analysis solution that is used by healthcare and public health organizations around the world.

Philips ISP vulnerabilities

According to ICS-CERT, some of the vulnerabilities can be exploited remotely by unauthenticated attackers and exploits for some of them are publicly available, although none are known to specifically target Philips ISP.

“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem,” the Dutch technology company noted.

About the vulnerabilities

Neither ICS-CERT nor Philips mentions how the vulnerabilities were discovered, but it’s likely that at least some of them are found in third-party code included in this and other products not manufactured by Phillips.

The vulnerabilities fall into several categories: improper input validation; information exposure; permission, privilege and access control; unquoted search path or element; leftover debug code; and cryptographic issues.

“Philips’ analysis has shown that these identified issues may allow attackers unauthorized access to sensitive information stored on the system, and modify this information as well as obtain sensitive information transmitted, including authentication credentials,” the company said, and confirmed that all 8.0.x and 7.0.x versions of the IntelliSpace Portal are affected.

Security updates and mitigations

Phillips has announced that these issues will be solved in the newest software release for Philips IntelliSpace Portal, which is expected to be pushed out in the coming months.

“Additionally, Philips’ evaluation of Operating System security patches is ongoing, and after appropriate testing, the patches and mitigating controls are posted on Philips’ InCenter. ISP users are recommended to obtain available mitigating controls by accessing their InCenter account,” ICS-CERT noted.

ICS-CERT has added to this their usual mitigation advice: Minimize network exposure of the devices, make sure that they are not accessible from the Internet, put them behind firewalls and isolate them from the business network, and access them remotely through VPNs.