Security restrictions bypass in Philips HDI 4000 Ultrasound



Published: 2019-08-30
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-10988
CWE-ID CWE-477
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		HDI 4000 Ultrasound Systems
Hardware solutions / Medical equipment

Vendor Philips

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Use of Obsolete Function

EUVDB-ID: #VU20484

Risk: Low

CVSSv3.1: 2.8 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-10988

CWE-ID: CWE-477 - Use of Obsolete Function

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the software is built on an old operating system that is no longer supported. A local authenticated administrator can exploit this vulnerability to expose ultrasound images (breaches of confidentiality) and compromise image integrity.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Note, this hardware is no longer supported by the vendor.

Vulnerable software versions

HDI 4000 Ultrasound Systems: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsma-19-241-02


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###