Philips Alice 6 Vulnerabilities (Update B)

MonitorCVSS 5.3ICS-CERT ICSMA-18-086-01Mar 27, 2018

Philips

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Philips Alice 6 versions R8.0.3 and prior contain insufficient encryption and lack cryptographic integrity checks. These weaknesses allow an attacker to intercept and decrypt usernames, passwords, and personal data transmitted by or stored on the system. An attacker could also replace a trusted system node with a malicious one to alter, corrupt, or disclose sensitive data. The vulnerabilities stem from weak cryptographic implementation (CWE-287: Improper Authentication, CWE-311: Missing Encryption of Sensitive Data).

What this means

What could happen

An attacker could intercept and decrypt stored usernames, passwords, and patient/facility data on the Alice 6 anesthesia delivery system by exploiting weak encryption. An attacker could also impersonate a trusted system component to alter or corrupt critical device data.

Who's at risk

Hospital anesthesia departments and operating rooms using Philips Alice 6 anesthesia delivery and monitoring systems. This affects clinical personnel who rely on Alice 6 for patient monitoring and anesthesia management, as well as any stored patient data and facility credentials.

How it could be exploited

An attacker with network access to the Alice 6 system could intercept unencrypted or weakly encrypted communication to capture credentials and personal data. Alternatively, the attacker could replace a trusted network node (such as a monitoring station or data server) with a malicious node to intercept, alter, or corrupt configuration and patient data before it reaches the actual system.

Prerequisites

Network access to Alice 6 system communications
No authentication required to perform passive interception
Physical or network access to replace a trusted node on the network

Remotely exploitableNo authentication required for passive interceptionLow complexity attackAffects patient data confidentialityWeak encryptionCryptographic integrity checks missing

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

Version: R8.0.3 or prior≤ R8.0.3No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSegment the Alice 6 system on a restricted network isolated from internet and non-clinical systems until patched

HARDENINGRestrict network access to Alice 6 devices using firewall rules to allow only authorized clinical workstations and monitoring stations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Alice 6 system to firmware version R8.0.4 or later

HOTFIXContact Philips service support to schedule a maintenance window for the R8.0.4 update

CVEs (2)

CVE-2018-5451 CVE-2018-7498

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/efa633b9-b438-4491-a058-a4a464adea15

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.