Philips plans an update to correct improper input validation and use of hard coded credentials issues in its PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs in a release scheduled for mid-year 2019, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, which Philips self-reported, could allow buffer overflows, or allow an attacker to access and modify settings on the device.
All versions prior to May 2018 of PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs suffer from the vulnerabilities.
In one vulnerability, the PageWriter device does not sanitize data entered by the user. This can lead to buffer overflow or format string vulnerabilities.
CVE-2018-14799 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
In addition, an attacker with the superuser password and physical access can enter the superuser password that can be used to access and modify all settings on the device, as well as allow the user to reset existing passwords.
CVE-2018-14801 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
The product sees use in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.
Netherlands-based Philips plans an update to correct these issues in the release scheduled for mid-year 2019.
Philips also provided the following information regarding an operating system that is no longer supported by the operating system manufacturer:
• WinCE5 is an obsolete operating system, which is no longer supported by the operating system manufacturer and only applies to PageWriter TC20, TC30, TC50 and TC70.
• PageWriter TC50 and TC70 support WinCE7, which is available for download on InCenter by customers. Philips recommends replacing the TC20 and TC30 with the TC50 if customers are concerned about the obsolete operating system. For TC20, there will be an update to a supported operating system released by end of 2019.
Philips offers the following additional mitigation advice:
• Defense in depth
• Physical security is a foundational requirement
• For medical devices such as a PageWriter, controlling access to the system components provides key protection to the medical devices in the system
• Physical security is a combination of policy, procedure and practice to control and monitor who has physical access
• For medical devices, physical security provides multifactor authentication (the user physically must be at the device and provide something they know)
Click here for Philips’ contact information.
Click here for the Philips’ advisory.