Philips Vue PACS Medical Imaging Systems are Vulnerable to Hackers
Reading Time: 2 minutes

Multiple security vulnerabilities were reported for Philips Vue PACS Medical Imaging Systems which make them vulnerable to hackers.

An advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mentioned, “Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.”

The Critical Security Flaws Impact:

  • VUE Picture Archiving and Communication Systems (versions 12.2.x.x and prior)
  • Vue MyVue (versions 12.2.x.x and prior)
  • Vue Speech (versions 12.2.x.x and prior)
  • Vue Motion (versions and prior)

It comes with flaws concerned with improper validation of input data as well as vulnerabilities introduced by flaws previously patched in Redis. These are CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014 which come under a Common Vulnerability Scoring System (CVSS) base score of 9.8.

The other two serious flaws are CVE-2021-33020, CVSS with a base score of 8.2. These flaws use the cryptographic keys beyond their established expiration date, “which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.”

Other weakness detected that could increase the severity of the other vulnerabilities

  • CVE-2021-33018 – Uses broken or risky cryptographic algorithms.
  • CVE-2015-9251 — Cross-site scripting attack when handling user-controllable input.
  • CVE-2021-33024 – Insecure methods to protect authentication credentials.
  • CVE-2018-8014 – Improper or incorrect initialization of resources.
  • CVE-2021-27501 – A failure to follow coding standards.

Earlier in June 2020 and May 2021, Phillips had addressed some of the vulnerabilities as part of the updates shipped. The Dutch healthcare company has plans to patch the remaining security issues in version 15 of Speech, MyVue, and PACS, currently in development and set for release in Q1 2022.

In an attempt to minimize security risks, CISA is urging organizations to minimize network exposure for all control system devices and ensure they are not accessible via the Internet, segment control system networks and remote devices behind firewalls, and use VPN for secure remote access.

Related Articles:

Bizarro Banking Malware has 70 European and South American Banks under its grip
Waterwise Botanicals – North County Nursery’s Instagram Account Hacked
Ransomware Gang threatens to publish HSE data if Ransom not Paid by Monday