Today the DHS NCCIC-ICS published two medical device control
system security advisories for products from Philips and Change Healthcare.
Philips Advisory
This advisory
describes a use of obsolete function vulnerability in the Philips HDI 4000
Ultrasound Systems. The vulnerability was
reported by Check Point. Philips has provided generic measure to mitigate
the vulnerability and reports that the devices reached end-of-support in December
of 2013. There is no indication that the researchers have been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker with
access to the local subnet could use publicly available exploits to exploit the
vulnerability to lead to exposure of ultrasound images (breaches of
confidentiality) and compromised image integrity.
Change Healthcare Advisory
This advisory
describes an incorrect default permissions vulnerability in the Change
Healthcare Cardiology Devices. The vulnerability was reported by Alfonso Powers
and Bradley Shubin of Asante Information Security. Change Healthcare has a patch
to mitigate the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker with
authenticated access can exploit the vulnerability to allow a locally
authenticated user to insert specially crafted files that could result in
arbitrary code execution.
Posts
No comments:
Post a Comment