There are three vulnerabilities with low- to medium-severity discovered in Philips SureSigns VS4 vital signs monitors. An attacker could exploit the vulnerabilities and access the administrative controls. The system settings could be altered to transmit sensitive patient information to a remote location.
The Cleveland Clinic identified the vulnerabilities and reported them to Philips. Philips doesn’t know of any existing public exploits for the vulnerabilities. There is also no report received so far that suggest the exploitation of any vulnerabilities.
There are three categories of vulnerabilities:
CWE-20 – Improper input validation
Philips SureSigns VS4 gets input or data, however, there are insufficient input validation settings to verify whether the input possesses the attributes to permit data processing safely and properly. This vulnerability is monitored as CVE-2020-16237 and has an assigned CVSS V3 base rating of 2.1 out of 10.
CWE-287 – Improper authentication
Whenever a user claims to get an assigned identity, there are inadequate checks done to verify the correctness of the individual’s identity during authentication. This vulnerability is monitored as CVE-2020-16239 and has been assigned CVSS V3 base rating of 4.9 out of 10.
CWE-284 – Improper access control
The top-severity vulnerability is because of inadequate access controls, which fail to restrict, or inappropriately restrict, an unauthorized person from accessing a resource. An attacker exploiting the vulnerability could get access to administrative controls as well as system settings. This vulnerability is monitored as CVE-2020-16241 and has an assigned CVSS V3 base rating of 6.3 out of 10.
A security alert concerning the vulnerabilities was already released under Philips’ Coordinated Vulnerability Disclosure Policy. Suggested mitigations are provided to minimize the risk of exploitation.
Philips advises swapping the Philips SureSigns VS4 devices with more recent technology. Meanwhile, users were instructed to alter all system passwords with unique passwords for every device and to implement physical security measures on the devices when not being used.