The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has posted a medical advisory to inform the public of several critical vulnerabilities in Philips Vue PACS (Picture Archiving and Communication System). This is a widely used system in hospitals and other institutions where the archiving, distribution, retrieval, displaying, and sharing of image data is crucial. The chain flaw, which has been given a CVSS v3 score of 9.8, allows the cleartext transmission of sensitive data, which opens up eavesdropping potential.
Moreover, due to various issues relating to improper authentication, initialization, memory buffer restriction, input validation, key management, neutralization, and several data integrity issues, a malicious individual could potentially gain system access, perform code execution remotely, install unauthorized software (malware), and even modify the data that is being shared/distributed through Philips Vue PACS.
The affected products and versions are given below:
In total, the advisory details 16 vulnerabilities, some of which have been addressed by Philips in patches released last year. However, several of these flaws remain unremedied and will be addressed in version 15 of the above products, which is expected to be released in the first quarter of 2022. Until then, manual remediations are suggested as the only solution. Additionally, admins are advised to apply the following recommendations:
On a positive note, CISA’s alert clarifies that there have been no signs of the above flaws having been targeted by malicious actors in the wild. However, this is not a reason for complacency, especially now that actors have a lead on where to look for open portals. Due to the role that a product like Philips Vue PACS plays in global healthcare, this is a global problem that will be complicated to address.