CVE-2020-16216

Summary

In IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior, the product receives input or data but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly, which can induce a denial-of-service condition through a system restart.

Affected Software

VendorProductVersion RangeStatus
PhilipsIntelliVue patient monitorsMX100affected
PhilipsIntelliVue patient monitorsMX400-550affected
PhilipsIntelliVue patient monitorsMX600affected
PhilipsIntelliVue patient monitorsMX700affected
PhilipsIntelliVue patient monitorsMX750affected
PhilipsIntelliVue patient monitorsMX800affected
PhilipsIntelliVue patient monitorsMX850affected
PhilipsIntelliVue patient monitorsMP2-MP90affected
PhilipsIntelliVueX2affected
PhilipsIntelliVueX3affected
PhilipsIntelliVue0 <= Naffected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

As a mitigation to these vulnerabilities, Philips recommends the following:

  • The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses. Refer to the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter https://incenter.medical.philips.com/ .

  • By default, the simple certificate enrollment protocol (SCEP) service is not running. When needed, the service is configured to run based on the duration or the number of certificates to be assigned. One certificate is default, but if a certificate is not issued, the service will continue to run. Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.

  • When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits.

  • Implement physical security controls to prevent unauthorized login attempts on the PIC iX application. Servers should be kept in controlled locked data centers. Access to equipment at nurses’ stations should be controlled and monitored.

  • Only grant remote access to PIC iX servers on a must-have basis.

  • Grant login privileges to the bedside monitor and PIC iX application on a role-based, least-privilege basis, and only to trusted users.

Users with questions regarding their specific Philips Patient Information Center (PIC iX) and/or IntelliVue patient monitor installations and new release eligibility should contact their local Philips service support team, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377.

Please see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.

ADP Enrichment

CVE Program Container

Additional References

References