Philips evaluated one of its products and discovered that it was vulnerable to nine different security bugs, one of them of critical severity.

An advisory from the Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) on Thursday describes the vulnerabilities in Philips e-Alert Unit, warning that the device is exploitable remotely if exposed to the internet, or from the local network.

The horde of security flaws affects versions R2.1 and earlier of the product. Their severity ratings range from medium, for exposing information about the operating system and software components, to critical, for hardcoded credentials.

The e-Alert Unit from Philips is a solution that monitors the performance of medical imaging systems. It is not a medical device in itself but it alerts when key parameters on MRI machines are amiss.

"Successful exploitation from an attacker within the same subnet may impact or compromise user contact details, unit integrity, and/or unit availability. The vulnerabilities may allow attackers to provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause e-Alert to crash," informs the ICS-CERT advisory.

The vulnerabilities are as follows:

  1. Improper input validation (CVE-2018-8850) - crafting malicious input in a form could result in altered control flow, arbitrary control of a resource, or arbitrary code execution
  2. Cross-site scripting  (CVE-2018-8846) - improper neutralization of input during web page generation
  3. Information exposure (CVE-2018-14803) - the adversary can obtain details about the product that could serve for an attack
  4. Incorrect default permissions (CVE-2018-884) - software sets incorrect permissions during installation
  5. Sending data in cleartext (CVE-2018-8842) - security-critical data is sent over an unencrypted channel and this could expose personal contact information and login credentials
  6. Cross-site request forgery (CVE-2018-8844) - insufficient verification of the source of a well-formed request
  7. Session fixation (CVE-2018-8852) - an attacker can hijack an authenticated session without invalidating any existing session identifiers
  8. Resource exhaustion (CVE-2018-8854) - software fails to restrict the amount of resources
  9. Use of hardcoded credentials (CVE-2018-8856) - software encrypts internal data with a hardcoded cryptographic key; if an attacker reverse engineers the software and finds it, they can use on any Philips e-Alert software

In June, Philips released an update that eliminated some of the problems, including the hardcoded credentials. The company plans to address the other issues in a new version by the end of the year.