Critical vulnerabilities in Philips Vue PACS devices could allow remote takeover

  • A physician reviews medical images with the Philips Image Viewer for Vue PACS. Philips recently disclosed 15 critical vulnerabilities and provided patches or workarounds to remediate the risk. (Credit: Philips)

    Multiple critical vulnerabilities in Philips Clinical Collaboration Platform Portal could enable an attacker to take control over an affected system, according to a recent Department of Homeland Security Cybersecurity and Infrastructure Agency alert.

    The collaboration platform portal is registered as a VUE Picture Archiving and Communication Systems (PACS). A total of 15 vulnerabilities were reported to CISA as impacting the Philips Vue PACS, MyVue, Vue Speech, and Vue Motion versions 12.2 and earlier.

    Four of the flaws have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, spotlighting the critical need to urgently apply the provide patch or workarounds.

    The first is an improper input validation issue, as the VUE platform receives input or data but fails to validate whether the provided input has the required properties to ensure the data is safely and correctly processed.

    CISA assigned CVE-2020-1938 to the flaw, which stems from the use of Apache JServ (AJP). The vulnerability is caused when the Apache Tomcat protocol treats AJC connections as having higher trust than similar HTTP connections.

    The second vulnerability is caused by a third-party software component from Redis. Improper restrictions within the Vue’s memory buffer allow users to read or write to a memory location from outside the intended buffer boundary.

    The Redis component also holds the third 9.8 flaw, which is caused by improper authentication. If a user claims to have a given identity within the Vue platform, the Redis software does not prove or insufficiently proves the users’ claims are correct.

    Further, the Redis server operates on a remote host but is not protected by password authentication. As such, a remote attacker could exploit the vulnerability to gain access to the server.

    The fourth critical flaw is caused by the Vue software initializing or setting a resource as default, but it’s not secure. The issue is also caused by the Apache Tomcat protocol.

    Another serious flaw ranked with CVSS 8.2 is caused by the Vue platform’s use of cryptographic keys or passwords beyond the established expiration date, “which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.”

    Other serious flaws in Vue include improper or incorrect initialization of resources and failure to follow coding rules for development that could increase the severity of the other system vulnerabilities. The software also transmits sensitive or security-critical data in cleartext through the Vue communication channel, which can easily be “sniffed by unauthorized actors.”

    “Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” according to the alert.

    Philips released software updates to address some of the flaws, but multiple vulnerabilities require system administrators to apply workarounds in the interim as the patches are currently in development and won’t be released for some time.

    CISA is urging health care and public health entities to review the medical advisory from Philips and apply the necessary workarounds. Currently, there are no known public exploits specifically targeting these flaws.

    Entities should minimize network exposure for all control system devices and review controls to confirm the systems aren’t accessible from the internet. Administrators should locate control system networks and remote devices, place them behind firewalls, and isolate the devices from the enterprise network.

    If remote access is required to the vulnerable Vue PACS, secure methods should be required to do so, such as a virtual private network (VPN). However, VPNs also hold known vulnerabilities, and entities must ensure the chosen VPN is updated to the most current version.

    “Also recognize that VPN is only as secure as the connected devices,” the alert reads. “CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”

    For more insights into ensuring the security of control systems like PACS, CISA previously provided recommended best practices. Entities can review a range of guidance from updating the antivirus within the ICS environment to developing an ICS cybersecurity incident response plan.

    PACS have been in the spotlight in the last month, with the Department of Health and Human Services urging covered entities to review their inventory of PACS and ensure vulnerabilities are patched and vulnerable devices are isolated from the network. The Philips Vue platform, however, was not listed among the vulnerable devices.

    SC Media’s recent report sheds light on the ongoing health care issue in the U.S., where vulnerable PACS are actively exposing millions of medical images.