Philips cardiovascular software found to contain privilege escalation, code execution bugs
Multiple versions of cardiovascular imaging and information management software from Philips have been found to contain vulnerabilities that could lead to escalated privileges and arbitrary code execution.
The first vulnerability, CVE-2018-14787, is a high-severity flaw (CVSS score of 7.3) found in versions 2.x or prior of Philips’ IntelliSpace Cardiovascular (ISCV) solution and Xcelera versions 4.1 and earlier. According to an advisory last week by the U.S. Department of Homeland Security’s ICS-CERT division, “an attacker with escalated privileges could access folders which contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions.”
Philips explained in its own corporate advisory that the affected versions “contain 20 Windows services of which the executables are being present in a folder where authenticated users have write permissions. The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions.”
The other issue, CVE-2018-14789, is a medium-severity unquoted search path or element vulnerability that can allow malicious actors to elevate privileges and execute code in ISCV versions 3.1 and earlier and Xcelera versions 4.1 and prior. Philips said that the affected versions have 16 Windows services that fail to have quotes in the path name. “These services are running with local admin rights, and are initiated with a registry key. This path may permit a user to place an executable that provides local admin rights,” Philips stated.
The company noted that the bugs’ risk is minimized by that fact that authenticated users must first locally access the ISCV/Xcelera servers locally in order pull off an exploit. By default, this process is disabled.
Philips announced that it will patch the issue upon the October 2018 release of ISCV 3.2. The ICS-CERT had slightly different information in its advisory, saying that the specific issue found in Version 2.x or prior and Xcelera Version 4.1 or prior, was previously mitigated by the release of ISCV 3.1 earlier this year.
In lieu of an official patch for now, Philips recommends that users change their Windows settings accordingly. Also, DHS’ National Cybersecurity and Communications Integration Center (NCCIC) has advised users to minimize affected devices’ network exposure, implement firewalls, and use secure methods for remote access including credible VPN products.