Philips e-Alert Unit

Plan PatchCVSS 7.5ICS-CERT ICSA-18-242-01Aug 30, 2018

PhilipsHealthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Philips e-Alert Unit versions R2.1 and earlier contain multiple input validation, cross-site scripting, information disclosure, and resource exhaustion vulnerabilities. An attacker on the same subnet can send malicious input to the unit without authentication to steal user contact data, alter unit configuration, or trigger a denial of service. Version R2.1 (June 2018) fixed four of the eight CWEs; Philips planned a further update for end of 2018 to address the remaining issues including cross-site scripting, weak cryptography, and rate limiting.

What this means

What could happen

An attacker on the same network as the e-Alert unit could steal contact information, alter unit configuration, shut down the alerting system, or cause it to crash, disrupting critical notifications in a healthcare facility.

Who's at risk

Healthcare facilities using Philips e-Alert units for emergency alerting and notification. IT/OT teams managing these non-medical devices in hospital networks are responsible for mitigating local network attacks that could disrupt critical alerting functions.

How it could be exploited

An attacker on the local network (same subnet) sends specially crafted input to the e-Alert unit's web interface or network services. The unit lacks input validation and security controls, allowing the attacker to inject code, read stored user data, or trigger a crash without authentication.

Prerequisites

Attacker must be on the same subnet as the e-Alert unit
Network access to the e-Alert unit's web interface or listening ports
No credentials required

Remotely exploitable from local networkNo authentication requiredLow attack complexityNo patch available for some vulnerabilities (update planned end of 2018)Affects communication/alerting infrastructure

Exploitability

Some exploitation risk — EPSS score 2.3%

Affected products (1)

ProductAffected VersionsFix Status

e-Alert Unit (non-medical device):≤ R2.1R2.2 (planned end of 2018)

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDImmediately restrict network access to e-Alert units via firewall rules—only allow connections from authorized devices and networks

HARDENINGIsolate e-Alert units from general hospital network; place on a dedicated management VLAN with strict inbound/outbound access controls

HARDENINGDo not expose e-Alert units to the Internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate e-Alert Unit to Version R2.2 or later (planned end of 2018) when released by Philips

CVEs (8)

CVE-2018-8850 CVE-2018-8846 CVE-2018-14803 CVE-2018-8848 CVE-2018-8842 CVE-2018-8844 CVE-2018-8852 CVE-2018-8854

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4c07a3ac-1294-40b6-8fc7-161e55ffd164

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.