Philips Discloses Multiple VUE PACS Vulnerabilities: Healthcare Sector Walking on Thin Ice
Internet Exposed VUE PACS a Storm Brewing in Hindsight
On July 18, 2024, Philips issued a security advisory addressing vulnerabilities within Philips Vue Picture Archiving and Communication System (PACS) versions prior to 12.2.8.410.
The Philips Vue PACS is a sophisticated medical imaging solution used to manage, store, and transmit digital medical images and reports. Primarily employed in hospitals, diagnostic imaging centers, and other healthcare facilities, this system facilitates the storage and retrieval of images from multiple modalities such as X-rays, MRI, CT scans, and ultrasound. The PACS integrates with Electronic Medical Records (EMR) and Radiology Information Systems (RIS), allowing healthcare professionals to access and share patient images and reports seamlessly, improving diagnostic accuracy and patient care.
By streamlining workflows and improving access to critical imaging data, Philips Vue PACS is intended to enhance clinical decision-making and operational efficiency in the Healthcare and Public Health Sectors.
Among the thirteen vulnerabilities disclosed by Philips to government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), the majority of vulnerabilities fall under the High and Critical severity category (as shown in Table 1).
Cyberattacks targeting the healthcare sector are on the rise, posing significant threats to patient safety, data privacy, and the operational stability of medical institutions. Recent vulnerabilities, such as those identified in Philips Vue PACS, exacerbate these risks, making healthcare systems more susceptible to exploitation. Upon successful exploitation, attackers could potentially gain unauthorized access to sensitive patient data, disrupt critical medical services, and even manipulate diagnostic information.
The table below provides details on the recent vulnerabilities.
| CVE | Vulnerability Type | CVSS 3.1 | CVSS4 |
| CVE-2020-36518 | Out of Bonds Write | 5.3 | 7.1 |
| CVE-2020-11113 | Deserialization of Untrusted Data | 8.8 | 7.1 |
| CVE-2020-35728 | Deserialization of Untrusted Data | 8.1 | 9.3 |
| CVE-2021-20190 | Deserialization of Untrusted Data | 8.1 | 9.3 |
| CVE-2020-14061 | Deserialization of Untrusted Data | 8.1 | 9.3 |
| CVE-2020-10673 | Deserialization of Untrusted Data | 8.8 | 8.7 |
| CVE-2019-12814 | Deserialization of Untrusted Data | 5.9 | 8.7 |
| CVE-2017-17485 | Deserialization of Untrusted Data | 9.8 | 9.3 |
| CVE-2021-28165 | Uncontrolled Resource Consumption | 7.5 | 8.8 |
| CVE-2023-40704 | Use of Default Credentials | 7.1 | 8.4 |
| CVE-2023-40539 | Weak Password Requirement | 4.4 | 4.8 |
| CVE-2023-40159 | Exposure of Sensitive Information to an Unauthorized Actor | 8.2 | 8.8 |
Table 1: Vulnerability details of Philips VUE PACS
Patch Details
For vulnerabilities CVE-2020-36518, CVE-2020-11113, CVE-2020-35728, CVE-2021-20190, CVE-2020-14061, CVE-2020-10673, CVE-2019-12814, CVE-2017-17485, CVE-2023-40223, and CVE-2023-40159, Philips recommends upgrading to the latest Vue PACS version 12.2.8.400* released in August 2023. – Link.
For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips also recommends upgrading to the Vue PACS version 12.2.8.410* released in October 2023 – Link.
For CVE-2023-40704 and CVE-2023-40539, Philips recommends configuring the Vue PACS environment per 8G7607 – Vue PACS User Guide Rev G available on Incenter – Link.
Philips VUE PACS’ Internet Exposure
The disclosed vulnerabilities (Table 1) can be exploited remotely and have low attack complexity. Hence, Cyble Research and Intelligence Labs (CRIL) investigated the impacted product’s internet exposure and observed the 495 internet-exposed Philips VUE PACS.
It was observed that Brazil and the United States had the highest number of Philips VUE PACs exposure; the graph below provides insights into the Top 5 countries with the highest number of exposures.
CRIL’s investigation discovered that the internet-exposed PACs are being used by multiple Healthcare facilities globally, as shown in the screenshot below.
Figure 1– Screenshot indicating VUE PACs utilized by Healthcare facilities
Conclusion
The Healthcare and Public Health sectors are vastly dependent on Picture Archiving and Communication Systems (PACs) due to their nature of operations within this environment; at the same time, the operations performed via PACs become a lucrative target for Threat Actors (TAs).
The recent vulnerabilities within Philips VUE PACs and the affected product’s internet exposure might be leveraged by TAs in the near future for data breaches that compromise patients’ privacy, undermine trust in healthcare institutions, and even jeopardize patient safety by delaying critical medical diagnoses and treatments.
Therefore, regular patching and updating of PACS are essential steps that need to be continuously taken to verify the security and integrity of healthcare operations, protect patient information, and maintain the overall resilience of healthcare services.
Recommendations
Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.
Implement proper network segmentation to avoid exposing critical assets over the Internet: Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Vulnerability Assessment and Penetration Testing (VAPT) exercises and auditing: Conduct regular VAPT exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.
Enhance your visibility into your organization’s external and internal assets: Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
References:
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01
https://www.philips.com/a-w/security/security-advisories.html
The post Philips Discloses Multiple VUE PACS Vulnerabilities: Healthcare Sector Walking on Thin Ice appeared first on Cyble.
React to this headline:
