CVE-2020-16212 : Vulnerability Insights and Analysis

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior are affected by a vulnerability that exposes a resource to the wrong control sphere, potentially granting unauthorized access to the resource.

Understanding CVE-2020-16212

This CVE identifies a security issue in Philips' Patient Information Center iX (PICiX) and related products, leading to unauthorized access to resources.

What is CVE-2020-16212?

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts.

The Impact of CVE-2020-16212

The vulnerability could allow an attacker with physical access to escape the restricted environment with limited privileges, potentially compromising the security and integrity of the affected systems.

Technical Details of CVE-2020-16212

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability exposes a resource to the wrong control sphere, enabling unauthorized actors to gain inappropriate access.

Affected Systems and Versions

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
PerformanceBridge Focal Point Version A.01
IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
IntelliVue X3 and X2 Versions N and prior

Exploitation Mechanism

The application on the surveillance station operates in kiosk mode, making it susceptible to local breakouts that could allow an attacker with physical access to escape the restricted environment.

Mitigation and Prevention

Effective strategies to mitigate and prevent the exploitation of this vulnerability.

Immediate Steps to Take

Physically or logically isolate the Philips patient monitoring network from the hospital LAN.
Use firewalls or routers with access control lists to restrict network access.
Ensure the simple certificate enrollment protocol (SCEP) service is not running unnecessarily.
Implement unique challenge passwords for device enrollment using SCEP.
Enforce physical security controls to prevent unauthorized access.
Limit remote access to PIC iX servers to essential needs.
Grant login privileges based on least-privilege and role-based access.

Long-Term Security Practices

Maintain up-to-date security protocols and access controls.
Regularly review and update security configurations.
Conduct security training and awareness programs for staff.

Patching and Updates

Philips released Patient Information Center iX (PICiX) Version C.03 to address the reported vulnerabilities.
Certificate revocation within the system was implemented for PIC iX and Performance Bridge FocalPoint in 2023.
The implementation for IntelliVue Patient Monitors is scheduled for completion in Q3 of 2024.