Philips Patient Monitoring Devices Improper Check for Certificate Revocation
CVE-2020-16228

6.4MEDIUM

Key Information:

Vendor: Philips
Status: Patient Information Center Ix (picix); Performancebridge Focal Point; Intellivue Patient Monitors; Intellivue X3
Vendor: CVE Published:; 11 September 2020

Summary

In Patient Information Center iX (PICiX) Versions C.02 and C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and prior, the software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a compromised certificate.

Affected Version(s)

IntelliVue patient monitors MX100

IntelliVue patient monitors MX400-MX550

IntelliVue patient monitors MX750

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

x_refsource_MISC

https://www.philips.com/productsecurity

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Jul 31, 2020

Credit

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.