CISA Warns About Easily Exploitable RCE Flaws on Philips Vue PACS

• CISA released an alert about critical RCE vulnerabilities in Philips Vue PACS.
• There are quite a few flaws that affect various Vue products, some of which will be fixed next year.
• Until then, mitigations and secure configurations are the only way to keep things under control.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has posted a medical advisory to inform the public of several critical vulnerabilities in Philips Vue PACS (Picture Archiving and Communication System). This is a widely used system in hospitals and other institutions where the archiving, distribution, retrieval, displaying, and sharing of image data is crucial. The chain flaw, which has been given a CVSS v3 score of 9.8, allows the cleartext transmission of sensitive data, which opens up eavesdropping potential.

Moreover, due to various issues relating to improper authentication, initialization, memory buffer restriction, input validation, key management, neutralization, and several data integrity issues, a malicious individual could potentially gain system access, perform code execution remotely, install unauthorized software (malware), and even modify the data that is being shared/distributed through Philips Vue PACS.

The affected products and versions are given below:

• Vue PACS: Versions 12.2.x.x and prior
• Vue MyVue: Versions 12.2.x.x and prior
• Vue Speech: Versions 12.2.x.x and prior
• Vue Motion: Versions 12.2.1.5 and prior

In total, the advisory details 16 vulnerabilities, some of which have been addressed by Philips in patches released last year. However, several of these flaws remain unremedied and will be addressed in version 15 of the above products, which is expected to be released in the first quarter of 2022. Until then, manual remediations are suggested as the only solution. Additionally, admins are advised to apply the following recommendations:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

On a positive note, CISA’s alert clarifies that there have been no signs of the above flaws having been targeted by malicious actors in the wild. However, this is not a reason for complacency, especially now that actors have a lead on where to look for open portals. Due to the role that a product like Philips Vue PACS plays in global healthcare, this is a global problem that will be complicated to address.