Philips evaluated one of its products and discovered that it was vulnerable to nine different security bugs, one of them of critical severity.
An advisory from the Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) on Thursday describes the vulnerabilities in Philips e-Alert Unit, warning that the device is exploitable remotely if exposed to the internet, or from the local network.
The horde of security flaws affects versions R2.1 and earlier of the product. Their severity ratings range from medium, for exposing information about the operating system and software components, to critical, for hardcoded credentials.
The e-Alert Unit from Philips is a solution that monitors the performance of medical imaging systems. It is not a medical device in itself but it alerts when key parameters on MRI machines are amiss.
"Successful exploitation from an attacker within the same subnet may impact or compromise user contact details, unit integrity, and/or unit availability. The vulnerabilities may allow attackers to provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause e-Alert to crash," informs the ICS-CERT advisory.
The vulnerabilities are as follows:
In June, Philips released an update that eliminated some of the problems, including the hardcoded credentials. The company plans to address the other issues in a new version by the end of the year.