Three Vulnerabilities Discovered in Philips SureSigns Vital Signs Monitors

There are three vulnerabilities with low- to medium-severity discovered in Philips SureSigns VS4 vital signs monitors. An attacker could exploit the vulnerabilities and access the administrative controls. The system settings could be altered to transmit sensitive patient information to a remote location.

The Cleveland Clinic identified the vulnerabilities and reported them to Philips. Philips doesn’t know of any existing public exploits for the vulnerabilities. There is also no report received so far that suggest the exploitation of any vulnerabilities.

There are three categories of vulnerabilities:

CWE-20 – Improper input validation

Philips SureSigns VS4 gets input or data, however, there are insufficient input validation settings to verify whether the input possesses the attributes to permit data processing safely and properly. This vulnerability is monitored as CVE-2020-16237 and has an assigned CVSS V3 base rating of 2.1 out of 10.

CWE-287 – Improper authentication

Whenever a user claims to get an assigned identity, there are inadequate checks done to verify the correctness of the individual’s identity during authentication. This vulnerability is monitored as CVE-2020-16239 and has been assigned CVSS V3 base rating of 4.9 out of 10.

CWE-284 – Improper access control

The top-severity vulnerability is because of inadequate access controls, which fail to restrict, or inappropriately restrict, an unauthorized person from accessing a resource. An attacker exploiting the vulnerability could get access to administrative controls as well as system settings. This vulnerability is monitored as CVE-2020-16241 and has an assigned CVSS V3 base rating of 6.3 out of 10.

A security alert concerning the vulnerabilities was already released under Philips’ Coordinated Vulnerability Disclosure Policy. Suggested mitigations are provided to minimize the risk of exploitation.

Philips advises swapping the Philips SureSigns VS4 devices with more recent technology. Meanwhile, users were instructed to alter all system passwords with unique passwords for every device and to implement physical security measures on the devices when not being used.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone