Philips MRI 1.5T and 3T Vulnerabilities
Vulnerabilities centre around improper access control, incorrect ownership assignment, and exposure of sensitive information to an unauthorised attacker.
Summary
Vulnerabilities centre around improper access control, incorrect ownership assignment, and exposure of sensitive information to an unauthorised attacker.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Philips has released an advisory for three vulnerabilities in the affected Philips MRI software solutions, tracking them as CVE-2021-3083, CVE-2021-3084, and CVE-2021-3085. The vulnerabilities involve improper access control, incorrect ownership assignment for resources, and potential exposure of sensitive information to unauthorised attackers.
Successful exploitation of these vulnerabilities may allow an unauthorised attacker access to execute software, modify system configuration, view/update files, and export data (including patient data) to an untrusted environment. At the time of writing, Philips is not aware of the vulnerabilities being exploited in the wild.
Remediation advice
Affected organisations should review the Philips MRI 1.5 and 3T release 5 (2022 November 9) security advisory. Philips have not released any security updates for this product but report that they plan to release a software upgrade that will correct the affected software in Q3 2022.
Philips recommends mitigating this vulnerability by ensuring that users operate all Philips deployed and supported products within Philips authorised specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 10 November 2021 2:56 pm