Over 1850 Total Lots Up For Auction at Six Locations - MA 04/30, NJ Cleansweep 05/02, TX 05/03, TX 05/06, NJ 05/08, WA 05/09

Spanish Spanish

Vulnerabilities found in Philips cardiovascular imaging devices

by Thomas Dworetzky, Contributing Reporter | August 27, 2018
Health IT
Share
Homeland Security announcements about healthcare software vulnerabilities have hit the news – again.

The latest involve software flaws hitting the Philips IntelliSpace Cardiovascular and Xcelera IntelliSpace Cardiovascular (ISCV) products, according to a security advisory from the U.S. Department of Homeland Security's ICS-CERT.

The first one, CVE-2018-14787, is another privilege management problem – and requires little skill to exploit, says the agency.

In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 2.x or prior and Xcelera Version 4.1 or prior), “an attacker with escalated privileges could access folders that contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions,” said the advisory, adding that, “successful exploitation of these vulnerabilities could allow an attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the server and execute arbitrary code.”

The second weak spot, announced in CVE-2018-14789, is in ISCV version 3.1 or prior and Xcelera Version 4.1 or prior, said the advisory, noting that, “an unquoted search path or element vulnerability has been identified, which may allow an attacker to execute arbitrary code and escalate their level of privileges.”

Philips responded in a security advisory that “confirmed the findings of a customer-submitted complaint” about the servers for ISCV version 2.x and earlier and Xcelera 3x – 4.x containing 20 Windows services of which executables are present in a folder where authenticated users are granted write permissions.

“The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions,” Philips advised.

It also advised that, “in ISCV version 3.x and earlier and Xcelera 3.x – 4.x, there are 16 Windows services that do not have quotes in the path name.

“The services run with local admin rights and can be initiated with a registry key, potentially offering an attacker an avenue in which to place an executable that grants local admin rights.”

The hacks can only be done locally – and there have been no reports of exploitation “in the wild.”

A new patch slated for an October release should fix these issues, and in the meanwhile, the company urges that users restrict permissions “where possible.”
Sign up for Health IT stories Sign up for Weekly Top stories

You Must Be Logged In To Post A Comment

Sign up for Weekly Top stories

Sign up for Health IT stories

 

advertisement

Health IT Homepage

Through Edgility acquisition ABOUT aims for end-to-end AI-driven patient flow
Bayer and Google Cloud to accelerate development of AI-powered radiology applications
GE HealthCare closes MIM Software deal
Teleradiology company and CEO admit to unlawful billing, will pay $3.1 million
How Gartner's 2024 cybersecurity trends can guide your cybersecurity efforts
IONIC Health, GE HealthCare announce 510(k)-clearance of nCommand Lite System for multi-vendor, remote imaging
Field service technicians: Unsung heroes in maintaining efficiency and reducing headaches in hospital networks
HHS opens probe into role Change Healthcare may have played in cyberattack
Philips and AWS unveil pathology cloud data storing initiative at HIMSS
PE firm Frazier HealthCare Partners acquires RevSpring from GTCR