Philips produced a new version that mitigates hard-coded credentials and cleartext storage of sensitive information vulnerabilities in its DoseWise Portal (DWP) web application, according to a report with ICS-CERT.
DoseWise Portal, Versions 126.96.36.1993 and 188.8.131.5269 suffer from the remotely exploitable vulnerabilities.
Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains patient health information (PHI). Potential impact could therefore include compromise of patient confidentiality, system integrity, and/or system availability.
Philips is a global company that maintains offices in several countries around the world, including countries in Africa, Asia, Europe, Latin America, the Middle East, and North America.
The affected product, DWP, is a web-based reporting and tracking tool for radiation exposure. DWP is standalone Class A software in accordance with IEC 62304.
The DWP application sees use across the healthcare and public health sectors. The product sees action in Australia, the United States, Japan, and Europe.
In one of the vulnerabilities, the backend database of the DWP application uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database.
For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI.
CVE-2017-9656 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
In addition, the web-based application stores login credentials in clear text within backend system files.
CVE-2017-9654 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to leverage these vulnerabilities.
Philips is scheduled to release a new product version and supporting product documentation this month.
For all users of DWP Version 184.108.40.20669, Philips will update the DWP installation to Version 220.127.116.1118. This update will replace the authentication method and eliminate hard-coded/fixed password vulnerabilities from the DWP system.
All users of DWP Version 18.104.22.1683 will end up supported by Philips to reconfigure the DWP installation to change and fully encrypt all stored passwords.
Philips notified users of the identified vulnerabilities and will coordinate with users to schedule updates. Philips encourages users to use Philips-validated and authorized changes only for the DWP system supported by Philips’ authorized personnel or under Philips’ explicit published directions for product patches, updates, or releases.
As an interim mitigation, until the update can be applied, Philips recommends users:
• Ensure network security best practices are implemented
• Block Port 1433, except where a separate SQL server is used
Click here to read Philips’ advisory.
DWP users with questions should contact their local Philips service support team or their regional service support. Click here for additional contact information.