Philips Vue PACS (Update B)

Act Now9.8ICS-CERT ICSMA-21-187-01Jul 6, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Philips Vue PACS and related products contain multiple vulnerabilities including improper input validation (CWE-20), buffer overflows (CWE-119), insufficient authentication (CWE-287), use of broken cryptography (CWE-319, CWE-324), and improper configuration (CWE-693). These vulnerabilities allow unauthorized access, data eavesdropping, modification, code execution, and unauthorized software installation. The vulnerabilities affect Vue PACS, Vue Motion, Vue MyVue, and Vue Speech products.

What this means

What could happen

An attacker could gain complete control of the Vue PACS system remotely, reading or modifying patient imaging data, disabling the PACS infrastructure, or running arbitrary commands on the servers that store and manage diagnostic images for the entire health system or hospital network.

Who's at risk

Healthcare organizations operating Philips Vue PACS should care about this advisory. Vue PACS is the core picture archiving and communication system (PACS) used by hospitals and health systems to store, manage, and distribute diagnostic imaging (X-rays, CT scans, MRI images, ultrasounds). Related products include Vue Motion (cardiac imaging), Vue MyVue (web portal), and Vue Speech (dictation/transcription). Any hospital or medical facility using these products is at risk of losing access to critical diagnostic images and having patient data compromised.

How it could be exploited

An attacker on the network (or from the internet if the PACS is Internet-facing) sends malformed requests or exploits broken authentication to bypass access controls and gain system privileges. Once authenticated, the attacker can execute arbitrary code or access sensitive imaging data and system files. No prior credentials are required.

Prerequisites

System must be running a vulnerable version (12.2.x.x or earlier)

Broken cryptography and authentication

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Vue PACS:≤ 12.2.x.xNo fix yet

Vue Motion:≤ 12.2.1.5No fix yet

Vue MyVue:≤ 12.2.x.xNo fix yet

Vue Speech:≤ 12.2.x.xNo fix yet

Remediation & Mitigation

Philips recommends configuring the Vue PACS environment per D000763414 - Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Philips released Version 12.2.1.5 in June of 2020 for MyVue that remediates CWE-693 and recommends contacting support below. Philips released Version 12.2.1.5 in June of 2020 for Vue Motion that remediates CWE-324 and recommends contacting support below. Philips released Version 12.2.8.0 in May of 2021 for Speech that remediates CWE-693, CWE-319, CWE-119, CWE-287, and CWE-1214 and recommends contacting support below. Philips released Version 12.2.8.0 in May of 2021 for PACS that remediates CWE-20, CWE-119, CWE-287 and recommends contacting support below.

CVEs (16)

CVE-2020-1938 CVE-2018-12326 CVE-2018-11218 CVE-2020-4670 CVE-2018-8014 CVE-2021-33020 CVE-2018-10115 CVE-2021-27501 CVE-2021-33018 CVE-2021-27497 CVE-2012-1708 CVE-2015-9251 CVE-2021-27493 CVE-2019-9636 CVE-2021-33024 CVE-2021-33022

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16accf5c-c160-4900-ad2e-d34ede35aea6