Philips Patient Monitoring Devices Exposure of Resource to Wrong Sphere
CVE-2020-16212

6.8MEDIUM

Key Information:

Vendor: Philips
Status: Patient Information Center Ix (picix)
Vendor: CVE Published:; 11 September 2020

Summary

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.

Affected Version(s)

Patient Information Center iX (PICiX) B.02

Patient Information Center iX (PICiX) C.02

Patient Information Center iX (PICiX) C.03

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

https://www.philips.com/productsecurity

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Jul 31, 2020

Credit

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.