Publication Date: September 17, 2020
Update Date: September 17, 2020
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS).
Philips confirmed 5 vulnerabilities in a range of low- to medium-severity (CVSS 3.4-6.8) associated with the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS), affecting versions 12.2.1 and prior. These include potential exploits relating to input and data validation verification, resource allocation limitation, and access configuration, among others.
This potential issue requires a high skill level to exploit, and there are currently no known public exploits available. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.
Successful exploitation of these issues could allow an attacker to lead a user into executing potentially unauthorized actions or provides the attacker with identifying information that could be used for subsequent attacks.
Philips released a patch in June 2020, for Clinical Collaboration Platform Portal (officially registered as Vue PACS) version 184.108.40.206 to correct some of these issues, and a new release of the product was released in May 2020. One issue requires manual intervention and affected customers are advised to contact Philips support.
Users with questions regarding their specific Philips Clinical Collaboration Platform installation and new release eligibility should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.usa.philips.com/healthcare/solutions/customer-service-solutions or call 1-877-328-2808 option 4.
Publication on CISA website: https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01