A vulnerability in the Philips IntelliSpace Cardiovascular (ISCV) line of medical data management products would allow privilege escalation and arbitrary code execution – opening the door for an attacker to siphon out all kinds of confidential patient information, including medical images and full diagnostic details.
According to an ICS-CERT alert issued this week, an attacker with local access to the ISCV/Xcelera server could use the flaw to gain administrative access, and from there be able to open folders which contain executables where authenticated users have write permission. That would allow a bad actor to execute information-exfiltrating malware, backdoors, ransomware or any other kind of bad code he or she chose. He or she could also pivot to other parts of the network, if the systems haven’t been properly partitioned.
While the potential damage doesn’t stop at patient privacy, the amount of data that the flaw could offer access to is notable. The ICSV is a comprehensive information management software that’s used by medical personnel to maintain patients’ cardiovascular clinical information, including cardiac imaging files. Features include the “Cardiology Timeline,” which provides a “panoramic chronological overview of your patients’ cardiovascular care continuum,” according to the Philips website.
The ISCV also offers the ability to launch into third-party applications that offer correlating information on a “system, patient, study and series level” – meaning that potential data exposure could be much larger than what the ISCV itself is home to.
The vulnerability (CVE-2018-14787) has a base CVSS score of 7.3, making it a medium-severity flaw. That’s because that although it requires only a low skill level to exploit it for severe privacy infractions, success requires an attacker to have local network access to the software to begin with – which would require the exploit of some other vulnerability (or status as a legitimate user).
The affected products are the ISCV version 3.1 or earlier, and the Xcelera version 4.1 or earlier. A patch is scheduled to be released in October 2018 with ISCV Version 3.2, according to Philips.
As interim mitigation tactics to the vulnerabilities until ISCV Version 3.2 can be applied, users should take basic precautions and apply network sequestration practices: restrict available permissions wherever possible; minimize network exposure for all control system devices and/or systems; ensure that they’re not accessible from the internet; locate control system networks and remote devices behind firewalls (and isolate them from the business network); and use VPNs when remote access is required.
No known public exploits specifically target these vulnerabilities, ICS-CERT added.