Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0892 Advisory (ICSMA-18-086-01) Philips Alice 6 Vulnerabilities 28 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Philips Alice Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2018-7498 CVE-2018-5451 Original Bulletin: https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01 - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSMA-18-086-01) Philips Alice 6 Vulnerabilities Original release date: March 27, 2018 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. OVERVIEW Philips has identified improper authentication and missing encryption of sensitive data vulnerabilities in the Philips Alice 6 System product. Philips scheduled a new product version release and supporting product documentation in December 2018. For all users of the Alice 6 System product, Version R8.0.2 or prior, Philips will update the devices to R8.0.3. This update will introduce encryption of data in transit and at rest, and stop transmission of clear text usernames and passwords. AFFECTED PRODUCTS The following versions of the 6 System are affected: Version R8.0.2 or prior. IMPACT Successful exploitation may allow an attacker to gain visibility to usernames/passwords and personal data. Insufficient encryption and cryptographic integrity checks can lead to altered, corrupted, or disclosed sensitive data. Disclosure of personal data can occur by replacing a trusted node with a malicious node. Impact to individual organizations depends on many factors that are unique to each organization. NCCIC recommends organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage. BACKGROUND Philips is a global company that maintains offices in several countries around the world, including countries in Africa, Asia, Europe, Latin America, Middle East, and North America. The affected product, Philips AliceNe 6, is a Polysomnography System (PSG) that is intended to record, display, and print physiological information to clinicians/physicians. According to Philips, Alice 6 is deployed across the Healthcare and Public Health sectors. Philips estimates this product is used in 50 countries around the world, including the United States and other countries within Asia Pacific, Europe, the Middle East, and North America. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW IMPROPER AUTHENTICATION CWE-287 When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or the ability to execute arbitrary code. CVE-2018-5451 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). MISSING ENCRYPTION OF SENSITIVE DATA CWE-311 The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys. CVE-2018-7498 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited remotely. EXISTENCE OF EXPLOIT Exploits that target these vulnerabilities are publicly available. DIFFICULTY An attacker with a low skill would be able to exploit these vulnerabilities. MITIGATION Philips will notify users of the identified vulnerabilities and will coordinate with the users to schedule updates. Philips is scheduled to release a new product version and supporting product documentation in December 2018. For all users of the Alice 6 System product, version R8.0.2 or prior, Philips will update the devices to R8.0.3. Philips encourages users to use Philips validated and authorized changes only for the Alice 6 device supported by Philips authorized personnel or under Philips explicit published directions for patches, updates, or releases. As an interim mitigation to the vulnerabilities until the update can be applied, Philips recommends that users: Ensure that network security best practices are implemented, and Limit network access to Alice 6 in accordance with product documentation. Users with questions regarding their specific Alice 6 installations should contact their local Philips service support team or their regional Alice 6 service support. Contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions (link is external) NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Ensure that non-product related software packages, such as email and web browser software, are not installed on medical devices, as they could contain vulnerabilities, malware, and broaden the attack surface, which could impact the intended function of the device. Minimize network exposure for all control system devices and/or systems; ensure that they are not accessible from the Internet. Locate all medical devices and remote devices behind firewalls; isolate them from the business network. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWrsH9ox+lLeg9Ub1AQhm/g/+PhZIG7LF3ayhe30BBxb+huORhK3vWB83 Liz8XUncfiUwyOdGypbtMyncIHPCxwB6G6Wg6RX9JPpODU8+/6fQ8iM8lgdRdF8A Y5ixwuoZQtyOUGvBgk7OebcL+8DXrua3L9Fg+JVHOANk91sPDsA0GnDFnoFaO0HT k6RVxZo9Pv3I2uSj6WUfl6RYwJjwA8JWLIJAHiQmsr1ywiTtq4BjcEVcA/+XW0KO DREALOg3U4HgXeSKVERpglxq6QTkfOJtYXVFwayzgP+KXbDykRSEfq8TnuXQ1Yko 582RhHcpWuRanjE1Xj7+hI/DACED1d5jD1SFPKf7C2urIVEBYfPXs5683ElFzC2O w0mVUSKNS8zXnZCHgRJn60hG4jrUIzRYrE7u5bhsh+H4aDE1RCXzWebtpf047A9z PzAJ5gdP3zxupiVSGGGIGRFe1j0sRGwyASdG1AwWLlD+DMSgaqYlp/uRJdth6o2a nvWfCl5VMHNChYqPi+kvfv1v816+0LhkDowGG9hkVjmaeda9na/g/kFnePu5cK1o dy5tk0HipldfFX7567cN+VfAl1c1/bdFc6QdgEPGt3esVIF8gMTGOzGDXin7jLl4 GuI2yLIidbSQ+P2pQ8cQkmOPG8gxnQVDTjpXjlVp45j+wMRrpW0gMCCIlWFXKRSH IwyOsuMtufA= =20EX -----END PGP SIGNATURE-----