All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
1. EXECUTIVE SUMMARY
- CVSS v3 6.8
- ATTENTION: Low attack complexity
- Vendor: Philips
- Equipment: Patient Information Center iX (PICiX); PerformanceBridge Focal Point; IntelliVue Patient Monitors MX100, MX400-MX850, and MP2-MP90; and IntelliVue X2, and X3
- Vulnerabilities: Improper Neutralization of Formula Elements in a CSV File, Cross-site Scripting, Improper Authentication, Improper Check for Certificate Revocation, Improper Handling of Length Parameter Inconsistency, Improper Validation of Syntactic Correctness of Input, Improper Input Validation, Exposure of Resource to Wrong Sphere
2. UPDATE INFORMATION
This updated advisory is a follow-up to the advisory update titled ICSMA-20-254-01 Philips Patient Monitoring Devices (Update A) that was published August 31, 2020, to the ICS webpage on us-cert.cisa.gov.
3. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data.
Note: To successfully exploit these vulnerabilities, an attacker would need to gain either physical access to surveillance stations and patient monitors or access to the medical device network.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
The following versions of the patient monitoring devices are affected:
- Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
- PerformanceBridge Focal Point Version A.01
- IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
- IntelliVue X3 and X2 Versions N and prior
4.2 VULNERABILITY OVERVIEW
The software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.
Affects the following products: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.
Affects the following products: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
When an actor claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.
Affects the following products: Patient Information Center iX (PICiX) Version B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01.
The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate.
Affects the following products: Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior.
The software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart.
Affects the following products: Patient Information Center iX (PICiX) Versions C.02, C.03.
The product receives input that is expected to be well-formed (i.e., to comply with a certain syntax) but it does not validate or incorrectly validates that the input complies with the syntax, causing the certificate enrollment service to crash. It does not impact monitoring but prevents new devices from enrolling.
Affects the following products: Patient Information Center iX (PICiX) Versions C.02, C.03, PerformanceBridge Focal Point Version A.01
The product receives input or data but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly, which can induce a denial-of-service condition through a system restart.
Affects the following products: IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior.
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
Affects the following products: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03.
- CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Netherlands
Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.
Philips plans a new release to remediate all reported vulnerabilities:
- Patient Information Center iX (PICiX) Version C.03 by end of 2020
--------- Begin Update B Part 1 of 1 ---------
- PerformanceBridge Focal Point by Q4 of 2021
--------- End Update B Part 1 of 1 ---------
- IntelliVue Patient Monitors Versions N.00 and N.01 in Q1 of 2021
- IntelliVue Patient Monitors Version M.04: Contact a Philips service support team for an upgrade path
- Certificate revocation within the system will be implemented in 2023
As a mitigation to these vulnerabilities, Philips recommends the following:
- The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses. Refer to the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter.
- By default, the simple certificate enrollment protocol (SCEP) service is not running. When needed, the service is configured to run based on the duration or the number of certificates to be assigned. One certificate is default, but if a certificate is not issued, the service will continue to run. Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.
- When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits.
- Implement physical security controls to prevent unauthorized login attempts on the PIC iX application. Servers should be kept in controlled locked data centers. Access to equipment at nurses’ stations should be controlled and monitored.
- Only grant remote access to PIC iX servers on a must-have basis.
- Grant login privileges to the bedside monitor and PIC iX application on a role-based, least-privilege basis, and only to trusted users.
Users with questions regarding their specific Philips Patient Information Center (PIC iX) and/or IntelliVue patient monitor installations and new release eligibility should contact their local Philips service support team, or regional service support, or call 1-800-722-9377
Please see the Philips product security website for the Philips advisory and the latest security information for Philips products.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Implement physical security measures to limit or control access to critical systems.
- Restrict system access to authorized personnel only and follow a least privilege approach.
- Apply defense-in-depth strategies.
- Disable unnecessary accounts and services.
- Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.