Several vulnerabilities were found in Philips Vue PACS items, 5 were critical vulnerabilities having a 9.8 severity score and 4 were high severity vulnerabilities.
Attackers can exploit a few of the vulnerabilities remotely with a low attack complexity. An attacker that successfully exploits the vulnerability would be able to acquire system access, snoop, view and change information, execute arbitrary code, set up unauthorized software programs, or compromise system integrity and acquire access to sensitive information, or adversely impact the availability of the system.
Philips reported the vulnerabilities lately to CISA as well as the impacted list of Philips Vue PACS products:
- Vue Motion: Versions 12.2.1.5 and earlier
- Vue PACS: Versions 12.2.x.x and earlier
- Vue Speech: Versions 12.2.x.x and earlier
- Vue MyVue: Versions 12.2.x.x and earlier
Details of Critical Vulnerabilities
- CVE-2018-12326 – Buffer overflow problem in Redis third-party software program permitting code execution and raising of privileges – (CVSS v3 9.8/10)
- CVE-2020-1938 – Improper validation of input to make sure safe and right information processing, possibly permitting remote code execution – (CVSS v3 9.8/10)
- CVE-2018-11218 – Vulnerability involving memory corruption in Redis software program – (CVSS v3 9.8/10)
- CVE-2018-8014 – Default configurations for the CORS filter aren’t safe – (CVSS v3 9.8/10)
- CVE-2020-4670 – Improper authentication in the Redis software program – (CVSS v3 9.8/10)
Details of High Severity Vulnerabilities
- CVE-2018-10115 – Wrong initialization logic of RAR decoder objects in 7-Zip possibly permitting denial of service or remote code execution through a specially created RAR file – (CVSS v3 7.8/10)
- CVE-2021-33020 – Usage of a cryptographic key beyond its date of expiration – (CVSS v3 8.2/10)
- CVE-2021-33022 -Transmitting of sensitive/security-critical information in cleartext – (CVSS v3 7.5/10)
- CVE-2021-27501 – Inability to comply with coding rule for development – (CVSS v3 7.5/10)
Details of Medium Severity Vulnerabilities
- CVE-2021-27497 – Failure of the system that defends against direct attacks – (CVSS v3 6.5/10)
- CVE-2021-33018 – Using a risky or broken cryptographic algorithm – (CVSS v3 6.5/10)
- CVE-2012-1708 – Oracle Database vulnerability which can impact data integrity – (CVSS v3 6.5/10).
- CVE-2021-27493 – Inability to make sure structured messages or information are well made and security properties are satisfied – (CVSS v3 6.1/10)
- CVE-2015-9251 – Cross-site scripting vulnerability caused by inappropriate neutralization of user-controlled input – (CVSS v3 6.1/10)
- CVE-2019-9636 – Inappropriate handling of input that contains Unicode encoding – (CVSS v3 5.3/10)
Details of Low Severity Vulnerability
- CVE-2021-33024 – Insecure way of transmitting/storing authentication credentials- (CVSS v3 3.7/10)
Mitigations
Philips proposes setting up the Vue PACS system per D00076344 – Vue_PACS_12_Ports_Protocols_Services_Guide accessible on Incenter.
Philips had fixed a few of the vulnerabilities in version 12.2.8.0 (Vue Speech), version 12.2.1.5 (MyVue/Vue Motion), and Version 12.2.8.0 (Vue PACS), which include 4 of the 5 critical vulnerabilities.
Version 15 of the software program is going to be available in Q1 of 2022 to fix the other vulnerabilities in Speech, PACS, MyVue.
Complete information can be found here.