1. EXECUTIVE SUMMARY

  • CVSS v3 4.1
  • ATTENTION: Low skill level to exploit
  • Vendor: Philips
  • Equipment: Tasy EMR
  • Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could impact or compromise patient confidentiality and system integrity. Philips’ analysis has shown these issues, if fully exploited, may allow attackers of low skill in the customer site or on a VPN to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Tasy EMR, a clinical and administrative workflow-based information system, are affected:

  • Tasy EMR Versions 3.02.1744 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

The software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2019-6562 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Brazil, Mexico
  • COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

Security researcher Rafael Honorato reported this vulnerability to Philips.

4. MITIGATIONS

Users should follow the instructions in the product configuration manual and not provide Tasy EMR with access to the Internet without a VPN. Users are also advised to update to the most recent three released versions of the product, following the Tasy EMR release schedule. Users should upgrade Service Packs as soon as possible. Hosted solutions will be patched automatically. Users running the application on premise are always alerted via release notes on changes to the system.

Users with questions regarding Tasy EMR should follow the service procedure and open a Service Order to Philips.

Please see the Philips product security website for the latest security information for Philips products:

https://www.philips.com/productsecurity

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.
  • Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA that can be found at the following location:

https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

 

Source:

https://ics-cert.us-cert.gov/advisories/ICSMA-19-120-01