May 28, 2023

Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal, some of which could be exploited by an adversary to take control of an affected system.

Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.

The 15 flaws impact:

  • VUE Picture Archiving and Communication Systems (versions 12.2.x.x and prior),
  • Vue MyVue (versions 12.2.x.x and prior),
  • Vue Speech (versions 12.2.x.x and prior), and
  • Vue Motion (versions 12.2.1.5 and prior)

(CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, and concern improper validation of input data as well as vulnerabilities introduced by flaws previously patched in Redis.

(CVE-2021-33020, CVSS score: 8.2) is caused by the Vue platform’s use of cryptographic keys beyond their established expiration date, “which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.”

Other weaknesses involve the use of a broken or risky cryptographic algorithm (CVE-2021-33018), a cross-site scripting attack when handling user-controllable input (CVE-2015-9251), insecure methods to protect authentication credentials (CVE-2021-33024), improper or incorrect initialization of resources (CVE-2018-8014), and a failure to follow coding standards (CVE-2021-27501) that could increase the severity of the other vulnerabilities.

Philips patch few now and rest will be patched earlier next year. CISA is urging entities to minimize network exposure for all control system devices and ensure that they are not accessible from the Internet, segment control system networks and remote devices behind firewalls, and use virtual private networks (VPNs) for secure remote access.

Tags:

Leave a Reply

You may have missed

TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
Buhti Ransomware Dissection

Buhti Ransomware Dissection

May 26, 2023
%d bloggers like this: