Multiple critical vulnerabilities in the Philips Clinical Collaboration Platform could allow an attacker to take over a vulnerable system.
The VUE Picture Archiving and Communication Systems (PACS) platform is used to enable users to collaborate with each other. Phillips reported to CISA 15 vulnerabilities that impact the Philips Vue PACS, Vue Speech, MyVue, and Vue Motion versions up to 12.2.
Four of the flaws have been rated critical (CVSS 9.8), highlighting the urgent need for patches or workarounds.
The first issue – CVE-2020-1938 – is an improper input validation. This issue occurs when the VUE platform receives an improper input or data but fails to validate it. The flaw pertains to the use of Apache JServ (AJP). It can be exploited to remotely execute arbitrary code.
The second vulnerability, found in a third-party software component by Redis, stems from improper restrictions within the VUE’s memory buffer allowing to read or write to a memory location from outside the intended buffer boundary.
The third one, an improper authentication issue, is also found in Redis component. This issue could allow a remote attacker to execute arbitrary code on the server.
Other flaws that have been reported in the Vue platform are lack of password authentication on a remote host, improper or incorrect initialization of resources, setting a resource as default, but it’s not secure, and more.
The software also transmits sensitive data through an insecure communication channel that be “sniffed by unauthorized actors.”.
“Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,” according to CISA’s alert.
Several patches have been released by Philips, but some bugs require system administrators to implement workarounds in order to address them.
Philips has issued an advisory that details the flaws in its software. This advisory has been shared by CISA with public health organizations and health care providers.
No public exploits targeting these flaws are known at this time.