Philips scheduled a new product version release and supporting product documentation in December for improper authentication and missing encryption of sensitive data vulnerabilities in the Philips Alice 6 System product, according to a report with ICS-CERT.
For all users of the Alice 6 System product, Version R8.0.2 or prior, Philips will update the devices to R8.0.3. This update will introduce encryption of data in transit and at rest, and stop transmission of clear text usernames and passwords.
Version R8.0.2 or prior suffer from the remotely exploitable issues.
Successful exploitation may allow an attacker to gain visibility to usernames/passwords and personal data. Insufficient encryption and cryptographic integrity checks can lead to altered, corrupted, or disclosed sensitive data. Disclosure of personal data can occur by replacing a trusted node with a malicious node.
Philips is a global company that maintains offices in several countries around the world, including countries in Africa, Asia, Europe, Latin America, Middle East, and North America.
The affected product, Philips Alice 6, is a Polysomnography System (PSG) that is intended to record, display, and print physiological information to clinicians/physicians.
Alice 6 sees action across the healthcare and public health sectors. Philips estimates this product is used in 50 countries around the world, including the United States and other countries within Asia Pacific, Europe, the Middle East, and North America.
In one vulnerability, when an attacker claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or the ability to execute arbitrary code.
CVE-2018-5451 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
In addition, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
CVE-2018-7498 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Exploits that target these vulnerabilities are publicly available. An attacker with a low skill would be able to exploit these vulnerabilities.
Philips will notify users of the identified vulnerabilities and will coordinate with the users to schedule updates. Philips is scheduled to release a new product version and supporting product documentation in December. For all users of the Alice 6 System product, version R8.0.2 or prior, Philips will update the devices to R8.0.3. Philips encourages users to use Philips validated and authorized changes only for the Alice 6 device supported by Philips’ authorized personnel or under Philips’ explicit published directions for patches, updates, or releases.
As an interim mitigation to the vulnerabilities until the update can be applied, Philips recommends users:
• Ensure network security best practices are implemented
• Limit network access to Alice 6 in accordance with product documentation
Users with questions regarding their specific Alice 6 installations should contact their local Philips service support team or their regional Alice 6 service support. Click here for contact information.