Philips is working to fix a serious hard-coded credential flaw in its radiation dose management web portal that could allow a remote attacker to access patient records stored in the platform’s database.
The software, called DoseWise Portal, is used by hospitals to manage radiation levels that patients are exposed to when undergoing CT scans.
In an advisory published Thursday, Philips said DoseWise Portal stored hard-coded database credentials in the clear within backend system files.
“Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI). Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability,” it said.
An attacker would need elevated privileges to access the files that contain the hard-coded credentials, which are stored behind additional security measures, according to Philips.
Still, according to the US DHS' ICS-CERT, an “attacker with a low skill would be able to exploit these vulnerabilities.”
Philips says the portal is deployed primarily in Australia, the US, Japan, and Europe, according to ICS-CERT’s advisory.
The hard-coded credential vulnerability ( CVE-2017-9656) has been assigned a Common Vulnerability Scoring System (CVSS) v3 base score of 9.1 out of a possible 10. The cleartext vulnerability has been given a CVSS v3 base score of 6.5.
There are currently no known public exploits for the two bugs. DoseWise Portal versions 220.127.116.113 and 18.104.22.16869 are vulnerable.
A DoseWise Portal customer reported the vulnerability to the Philips, which plans to release a new version addressing the flaw this month.
For customers with version 22.214.171.1243, Philips will assist them reconfigure the software to change and encrypt all stored passwords.
Customers with version 126.96.36.19969 will be updated to version 188.8.131.5218, which will “eliminate the hard-code password vulnerabilities”.
Philips has advised customers to block port 1433 except where a separate SQL server is used.