Philips Healthcare and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have issued security advisories regarding vulnerabilities in the vendor's IntelliSpace Cardiovascular (ISCV) and Xcelera cardiology image and information management software.
Successful exploitation of the vulnerabilities could enable an attacker to escalate access privileges on a local ISCV/Xcelera server and execute arbitrary code, according to the ICS-CERT. Philips said it has confirmed the findings of a complaint submitted by a customer regarding vulnerabilities affecting version 2.3.1 of ISCV. The company found that versions 3.1 and earlier of ISCV are affected, as are versions 4.x and 3.x of Xcelera.
Specifically, the vendor noted the following:
- In ISCV version 2.x and earlier and Xcelera 4.x and 3.x, the servers contain 20 Windows services of which the executables are present in a folder where authenticated users have write permissions. The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program, too, would be executed with local admin or local system permissions.
- In ISCV version 3.x and earlier and Xcelera 4.x and 3.x, there are 16 Windows services that do not have quotes in the path name. These services are running with local admin rights and are initiated with a registry key. This path may permit a user to place an executable that provides local admin rights.
"At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities," Philips said in its security advisory.
Philips noted that the issue only occurs if an authenticated user -- without admin privileges -- is able to locally access the ISCV/Xcelera servers. This access is disabled by default because only administrators have the ability to access the ISCV/Xcelera servers locally, according to the firm.
Upgrading to ISCV version 3.1 mitigates the issue for ISCV version 2.x or prior and Xcelera version 4.1 or prior. The next ISCV software update -- version 3.2 -- will also mitigate the issue for ISCV version 3.1 or prior and Xcelera version 4.1 or prior. Version 3.2, scheduled for release in October, will be available to customers via regular communication and distribution channels, according to the vendor.
As an interim measure, Philips recommends that users review their file permission policies and restrict available permissions when possible, according to the ICS-CERT advisory. The Philips security advisory can be found here, while the ICS-CERT advisory can be found here.