Today the CISA NCCIC-ICS published one medical device cybersecurity
advisory for products from Philips and updated one control system security advisory
for products from Treck.
Philips Advisory
This advisory
describes three vulnerabilities in the Philips SureSigns VS4 patient monitor.
The vulnerabilities were reported by Cleveland Clinic. Philips has provided
generic mitigations for these vulnerabilities. There is no indication that the
researchers have been provided with an opportunity to verify the efficacy of
the fix.
The three reported vulnerabilities are:
• Improper input validation - CVE-2020-16237,
• Improper access control - CVE-2020-16241,
and
• Improper authentication - CVE-2020-16239
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerabilities to allow an attacker access to
administrative controls and system configurations, which could allow changes to
system configuration items causing patient data to be sent to a remote
destination.. The Philips
advisory notes that: “This potential vulnerability does not impact patient
safety.”
Treck Update
This update
provides additional information on the Ripple20 advisory that was originally
published on June 16th, 2020 and most
recently updated on July 21st, 2020. The new information
includes a link to a vendor
advisory from Johnson Controls for their Sur-Gard System 5 receivers.
NOTE: NCCIC-ICS still has not reported the Siemens Ripple20
advisory that I
discussed on July 18th, 2020
Posts
No comments:
Post a Comment