CVE-2020-16218 : Security Advisory and Response
Learn about CVE-2020-16218, a Cross-site Scripting vulnerability in Philips Patient Information Center iX (PICiX) and related devices. Find out the impact, affected systems, exploitation details, and mitigation steps.
Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.
Understanding CVE-2020-16218
This CVE involves a vulnerability in Philips Patient Information Center iX (PICiX) and other related devices that could allow unauthorized access to patient data.
What is CVE-2020-16218?
CVE-2020-16218 is a Cross-site Scripting (CWE-79) vulnerability affecting Patient Information Center iX (PICiX) and other Philips devices. It arises from improper neutralization of input during webpage generation.
The Impact of CVE-2020-16218
The vulnerability could be exploited to gain unauthorized access to patient data through a read-only web application, potentially compromising patient privacy and confidentiality.
Technical Details of CVE-2020-16218
This section provides more in-depth technical information about the vulnerability.
Vulnerability Description
The software fails to properly neutralize user-controllable input before using it in webpage output, leading to a Cross-site Scripting vulnerability.
Affected Systems and Versions
- Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
- PerformanceBridge Focal Point Version A.01
- IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
- IntelliVue X3 and X2 Versions N and prior
Exploitation Mechanism
Successful exploitation involves injecting malicious scripts via user-controllable input, which are then executed in the context of other users accessing the web application.
Mitigation and Prevention
Protecting systems from CVE-2020-16218 requires immediate actions and long-term security practices.
Immediate Steps to Take
- Physically or logically isolate the patient monitoring network from the hospital LAN using firewalls or routers with access control lists.
- Ensure the simple certificate enrollment protocol (SCEP) service is not running unless actively needed.
- Enroll new devices with unique challenge passwords and implement physical security controls.
- Restrict remote access to PIC iX servers to essential needs only.
- Grant login privileges based on roles and least privilege principles.
Long-Term Security Practices
- Maintain strict access controls and monitoring of equipment.
- Regularly update and patch systems to prevent vulnerabilities.
Patching and Updates
- Philips released remediation in Patient Information Center iX (PICiX) Version C.03.
- Certificate revocation within the system was implemented for PIC iX.