IT security risk assessment specialists report the finding of three flaws in SureSigns V4, a vital signs monitor developed by technology company Philips. According to the report, exploiting these flaws would allow threat actors to evade some security checks, accessing administrative controls and system configurations, which would even jeopardize the physical integrity of some patients.
The Cleveland Clinic security team submitted the report of the flaw to Philips and the Cybersecurity and Infrastructure Security Agency (CISA).
Below are brief overviews of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-16237: The affected product receives input or data, but does not validate (or does so incorrectly) that the input has the properties required to process the data securely. The flaw received a score of 2.1/10, so it is considered to be a low security risk.
CVE-2020-16241: The software does not restrict access to unauthorized resources for unauthorized users, which would allow malicious hackers to easily compromise a device, IT security risk assessment specialists mentioned. The flaw received a score of 6.5/10.
CVE-2020-16239: When a user claims to have a particular identity, the software does not prove or insufficiently prove that the claim is correct, exposing the vulnerable system within the reach of any threat actor. This vulnerability received a score of 4/10.
While IT security risk assessment specialists mention that these flaws are not a critical risk, administrators should not ignore security alerts, as these computers are employed in virtually every hospital in the world, so the scope of a potential attack is massive.
To mitigate the risk of exploitation, Philips recommends that its users reset all passwords on the SureSigns V4 system, as well as restrict any unauthorized or non required access to these systems.
On the other hand, CISA recommends implementing additional measures such as restricting physical access to these devices or using least-privileged accounts to operate critical health systems.