CVE-2020-16228 : Security Advisory and Response
Discover the impact of CVE-2020-16228 on Philips patient monitoring devices. Learn about the vulnerability, affected systems, exploitation risks, and mitigation steps to secure your systems.
Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate.
Understanding CVE-2020-16228
This CVE involves vulnerabilities in various Philips patient monitoring devices due to improper certificate revocation checks.
What is CVE-2020-16228?
In Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior, the software fails to properly validate certificate revocation status, potentially leading to the use of compromised certificates.
The Impact of CVE-2020-16228
The vulnerability could allow attackers to exploit compromised certificates, posing risks to the integrity and security of patient monitoring systems.
Technical Details of CVE-2020-16228
This section provides detailed technical insights into the vulnerability.
Vulnerability Description
The vulnerability lies in the failure to check or correctly verify the revocation status of certificates, enabling the use of compromised certificates.
Affected Systems and Versions
- Patient Information Center iX (PICiX) Versions C.02, C.03
- PerformanceBridge Focal Point Version A.01
- IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850
- IntelliVue X3 Versions N and prior
Exploitation Mechanism
Attackers could exploit this vulnerability by utilizing compromised certificates to gain unauthorized access or manipulate patient monitoring systems.
Mitigation and Prevention
Learn how to mitigate and prevent the risks associated with CVE-2020-16228.
Immediate Steps to Take
- Isolate the Philips patient monitoring network from the hospital LAN using firewalls or routers with access control lists.
- Ensure the simple certificate enrollment protocol (SCEP) service is not running unless actively needed.
- Use unique challenge passwords when enrolling new devices via SCEP.
- Implement physical security controls to prevent unauthorized access to PIC iX application.
- Restrict remote access to PIC iX servers to essential needs only.
- Grant login privileges based on roles and least privilege principles.
Long-Term Security Practices
- Maintain physical security of servers and equipment.
- Regularly update and patch systems to address vulnerabilities.
- Educate staff on security best practices and protocols.
Patching and Updates
- Philips released remediation versions for affected products to address the vulnerabilities.
- Upgrade to the latest secure versions as recommended by Philips.