Phillips IntelliVue Patient and Avalon Fetal Monitors Weakness Warning Issued

by | Jun 7, 2018

An official advisory over weaknesses impacting certain Phillips IntelliVue Patient and Avalon Fetal monitors has been released by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Three weaknesses have been discovered by Phillips and communicated to ICS-CERT: Two have been given a high rating and one medium.

If successfully targeted exploited, a hacker could read/write memory and install a denial of service through a system restart. Exploitation of the weaknesses could lead to a delay in the diagnosis and treatment of patients.

Products Impacted:

  • IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M;
  • Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3
  • IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only);

Weaknesses:

CWE-0287 – Improper Authentication Vulnerability

After obtaining LAN access, an unauthenticated person could target the weakness to gain access to the memory (write-what-where) on a selected device within the same subnet.

CWE-200 – Information Exposure Vulnerability

Exploitation of this weakness could allow an unauthenticated attacker could access the memory of a chosen device within the same subnet.

CWE-121 – Stack-Based Buffer Overload Vulnerability

Exploitation of the weakness would expose an echo service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is duplicated to the stack with no boundary checks, hence leading to a stack overflow.

Mitigations:

Phillips shared the vulnerabilities under its Co-ordinated Vulnerability Disclosure Policy. An advisory was proactively broadcast to allow users of the impacted products to take action to prevent the weaknesses from being exploited.

Phillips notes that the weaknesses cannot be exploited remotely and require a malicious actor to first gain LAN access to the medical devices. Also, these weaknesses require a considerable degree of technical expertise to target.

No public exploits for the weaknesses have been detected and there have been no reports of any exploitation of the weaknesses in the wild.

Phillips is developing a patch to address all three issues on IntelliVue software Revisions J-M and Avalon software Revisions G.0 and J.3 in 2018. For non-supported versions, Phillips will supply an update-path to get users upgraded to a supported version. Users of unsupported versions should get in touch with their Phillips sales representative for further details.

Meanwhile, users of the affected products can take the following measure to minimize the potential for exploitation of the vulnerabilities:

  • IntelliVue Monitors – adhere to instructions for use in the Security for Clinical Networks Guide and update to Revision K.2 or newer software.
  • Avalon Fetal Monitors Release G.0 and Release J.3 – refer to the Data Privacy and Network Security Requirements in the installation and service manual.
  • Avalon Fetal Monitors Release F.0 – Follow the instructions as listed in the Rev J.3 Service Guide Data Privacy and Network Security Requirements section.
  • Implement physical security access controls to restrict access to the devices to authorized users, as detailed in the Philips Security for Clinical Networks guide and the IntelliVue Clinical Networks Configuration Guide.
  • Adapt logical security access controls to stop the devices from sending outside the Phillips clinical network.
  • Locate all susceptible devices behind firewalls and isolate them from the business network.
  • Make sure the devices are not accessible via the Internet.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy