Phillips plugs security flaws in e-Alert tool

Dutch tech company Phillips has fixed several serious security flaws in Philips e-Alert, a tool that helps magnetic resonance imaging (MRI) systems work as intended.

About Philips e-Alert

Philips e-Alert uses sensors to monitor key parameters of Phillips MRI systems deployed at healthcare facilities and to alert operators about potential issues become they become an actual problem.

It can be installed as a software or hardware solution and it also allows operators to control which data is shared with Philips – not patient data, though, just the name, email address and mobile phone number of the individuals designated to receive alert notifications.

It is also not a medical device, so there is no risk to patient safety.

About the vulnerabilities

The vulnerabilities were unearthed by Phillips in version R2.1 and prior of the solution. There are nine in total and they range from improper input validations and information exposure to incorrect default permissions and hard-coded credentials.

They can be exploited remotely or by attackers located within the same local subnet. Attackers may exploit them to compromise user contact details, impact unit integrity or availability, provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause the software/device to crash.

The company has currently fixed only the four most critical ones: the hard-coded credentials (CVE-2018-8856), the session fixation issue (CVE-2018-8852), the cleartext transmission of sensitive info (CVE-2018-8842) and the improper input validation flaw (CVE-2018-8850).

The rest will be addresses with a software update planned for the end of the year.

In the meantime, the company has reached out to affected users to schedule the latest updates and has advised them minimize exploitation risk by ensuring that network security best practices are implemented and limiting network access to e-Alert in accordance with product documentation.

According to ICS-CERT, there are no known public exploits that specifically target these vulnerabilities.