Philips IntelliVue WLAN firmware had been found to have two vulnerabilities that affected some IntelliVue MP monitors. The vulnerabilities can be exploited by hackers to install malicious software that could have an effect on data flow and cause the device and Central Station to be inoperable.
Security researcher Shawn Loveric of Finite State, Inc warned Philips regarding the vulnerabilities. Philips promptly provided a security advisory to clients who are using the vulnerable devices to minimize risk.
Even if an attacker possess a high level of skill, he would still need access to a vulnerable gadget’s local area network in order to take advantage of the vulnerabilities. Current mitigating control could furthermore prohibit the chances of an attack. So, Philips is supposing that the vulnerabilities won’t have an impact on clinical devices. Philips also believes that thus far there’s no active exploitation of the vulnerabilities.
CVE-2019-13530 is the first vulnerability, which involve the use of a hard-coded password that could allow an attacker to remotely login through FTP and upload malicious software. CVE-2019-13534 is the second vulnerability, which allows the attacker to download a code or an executable file through a remote position with no need for verifications of the source or the code. The two vulnerabilities are assigned a CVSS v3 base score of 6.4.
The vulnerabilities impacted the following Philips devices:
IntelliVue MP monitors MP5/5SC (M8105A/5AS)
WLAN Version A, Firmware A.03.09, Part #: M8096-67501
IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
WLAN Version A, Firmware A.03.09
IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
WLAN Version B, Firmware A.01.09, Part #: N/A (Substituted by Version C)
IntelliVue MP monitors MX800/700/600 ((865240/41/42)
WLAN Version B, Firmware A.01.09, Part #: N/A (Substituted by Version C)
Philips won’t release a patch for WLAN Version B, which is obsolete. Philips has advised clients using the affected patient monitors to update to the WLAN Module Version C wireless module. WLAN Version C with present firmware of B.00.31 won’t be affected by the vulnerabilities. Mitigating controls such as applying authentication and authorization via WPA2, executing a firewall rule upon wireless connections, and ensuring the application of physical controls to restrict system access.
The WLAN Version A vulnerability will be remedied by a patch due for release by Philips through Incenter in late 2019.