Philips released information about a vulnerability found in Philips IntelliBridge EC40/80 hubs. An attacker could exploit to access vulnerable hubs and execute a software program, change files, alter the system setup, and view identifiable patient information.
Depending on fixed specifications, Philips IntelliBridge EC40/80 hubs are utilized for transferring medical device information at the same time converting one format to another. When the hub connects to a medical device, it does not alter its settings or parameters.
An attacker could exploit the vulnerability to capture a session and play it back and access the hub. The vulnerability is because of the SSH server being utilized on vulnerable products with the set up to permit weak ciphers.
An attacker possessing a low level of skill can exploit the vulnerability. But to be able to exploit the vulnerability, it is necessary that the attacker has network access. The vulnerability CVE-2019-18241 has an assigned CVSS v3 base score of 6.3 out of 10, which is Medium severity.
The New York-Presbyterian Hospital’s Medical Technology Solutions staff told Philips about the vulnerability. In turn, Philips notified the DHS Cybersecurity Infrastructure Security Agency regarding the vulnerability as required by the responsible vulnerability disclosure policy.
All Philips IntelliBridge EC40 and EC80 hubs are impacted by the vulnerability. The problem will be resolved in the release of a new version, which will be available after Q3 of 2020.
Until the time that Philips comes out with the new release, people that have the vulnerable hubs are advised to employ these mitigation measures to minimize the likelihood of exploitation.
- Only run the hub in authorized specifications by Philip and use only the software, settings, system services, and security controls approved by Philips
- These devices have no clinical requirement that calls for communicating outside the clinical network of Philips.
- The devices must be physically or logically segregated from the network of the hospital.
- Users must obstruct the SSH port access. SSH is not designed for use with clinical purposes, just for product support.
- Utilize a long and difficult SSH password and be sure to control password distribution to make sure SSH is utilized through physical access only.