Threat Intelligence: IntelliVue Vulnerabilities

New Advisory Issued: ICSMA-20-254-01
Cynerio
News
Sep 11, 2020

What Devices Are Affected?

Philips IntelliVue patient monitors and related devices, including:

  • IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior
  • IntelliVue X3 and X2 Versions N and prior
  • Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
  • PerformanceBridge Focal Point Version A.01

Advisory Information

The ICS-CERT issued a new advisory (ICSMA-20-233-01) on September 10, 2020. This is a set of vulnerabilities with a combined CVSS v3 base score of 6.8 that can be exploited remotely by threat actors:

1. CVE-2020-16214
Improper input validation.
This vulnerability has a CVSS v3 base score of 4.2. If exploited, the device may not safely and correctly validate input or data.

2. CVE-2020-16218
Improper access control.
Unauthorized actors may receive remote access to the device due to improper access restriction. This vulnerability has a CVSS v3 base score of 6.3.

3. CVE-2020-16222
Improper authentication.
The software on the device does not sufficiently prove an actor’s identity and can grant unauthorized access. This vulnerability has a CVSS v3 base score of 4.9.

4. CVE-2020-16228
Improper input validation.
This vulnerability has a CVSS v3 base score of 6.0. If exploited, the device may not safely and correctly validate input or data.

5. CVE-2020-16224
Improper access control.
Unauthorized actors may receive remote access to the device due to improper access restriction. This vulnerability has a CVSS v3 base score of 6.5.

6. CVE-2020-16220
Improper authentication.
The software on the device does not sufficiently prove an actor’s identity and can grant unauthorized access. This vulnerability has a CVSS v3 base score of 3.5.

8. CVE-2020-16216
Improper input validation
. This vulnerability has a CVSS v3 base score of 6.5. If exploited, the device may not safely and correctly validate input or data.

9. CVE-2020-16212
Improper access control.
Unauthorized actors may receive remote access to the device due to improper access restriction. This vulnerability has a CVSS v3 base score of 6.8.

What Is the Vulnerability’s Impact on Health Care?

If any of these vulnerabilities are successfully exploited, threat actors can gain remote access to sensitive medical devices. This can result in compromised ePHI or even device functionality, leading to negative patient outcomes.

Further, data concerning patients' vitals can also be tampered with, which can compromise treatment plans and cause physical harm to patients.  

How Cynerio Can Help You Mitigate the Threat

Step 1: Cynerio identifies and locates all vulnerable devices on your network and sends alerts to your relevant team members.

Step 2: Once devices are identified, change all system passwords on IntelliVue devices.

Step 3: Assign unique passwords to each device  and secure each device when it isn’t being used to prevent unauthorized access. 

Step 3:  Replace the devices with newer models, as recommended by Philips.

Step 4: For all at-risk devices that remain in use on your network, Cynerio will automatically configure segmentation policy to reduce the risk.

Step 5: After your devices are segmented, Cynerio will constantly monitor your at-risk devices, flag policy violations, and send alerts on any suspicious activity.

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-233-01 

https://www.usa.philips.com/healthcare/about/customer-support/product-security

Keep your finger on the pulse of Healthcare IoT security