Philips DreamMapper

Monitor5.3ICS-CERT ICSMA-20-212-01Jul 30, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

DreamMapper version 2.24 and earlier does not properly restrict access to log files. An attacker can remotely read log files containing descriptive error messages without authentication. This is an information disclosure vulnerability (CWE-532) that could expose system configuration details.

What this means

What could happen

An attacker with network access to DreamMapper could read log files containing error messages and other descriptive information, potentially revealing details about system configuration or operation.

Who's at risk

Healthcare organizations using Philips DreamMapper sleep therapy devices or monitoring equipment should care about this vulnerability. Any system running DreamMapper version 2.24 or earlier is affected.

How it could be exploited

An attacker on the network sends requests to DreamMapper to access or retrieve log files. The application does not properly restrict access to these files, allowing the attacker to read error messages and other descriptive information without authentication.

Prerequisites

Network access to DreamMapper application
DreamMapper version 2.24 or earlier

remotely exploitableno authentication requiredinformation disclosurelow exploit probability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

DreamMapper:≤ 2.24No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to DreamMapper to authorized personnel and authorized networks using firewall rules or access control lists

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DreamMapper to a version newer than 2.24 when Philips releases the patched version (planned by June 30, 2021)

HARDENINGDisable unnecessary accounts and services on DreamMapper systems

Mitigations - no patch available

0/1

DreamMapper: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement physical security controls to limit access to systems running DreamMapper

CVEs (1)

CVE-2020-14518

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d05dbe34-9856-438b-a4d9-ea613749c33a