Critical vulnerabilities in Philips EMR system could risk patient data
CISA has warned that hackers could extract info from medical databases or mount DoS attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has warned that flaws in the Philips Tasy electronic medical records (EMR) system could be exploited by hackers to steal confidential patient data from medical databases.
In a security advisory, CISA said successful exploitation of these vulnerabilities “could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition.”
The issue affects the Philips Healthcare Tasy Electronic Medical Record (EMR) product Tasy EMR HTML5 3.06.1803 and prior. There are two flaws, CVE-2021-39375 and CVE-2021-39376.
The first flaw may enable a successful SQL injection attack that could result in patient data exposure and extraction.
According to MITRE’s Common Weakness Enumeration (CWE) on this fault, “without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.”
The second flaw also allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
“SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes,” the advisory warned.
It should be noted that to take advantage of the flaws, a hacker must have credentials that allow them into the system in the first place.
"At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem," Philips said in an advisory. "Philips' analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips' analysis also indicates there is no expectation of patient hazard due to this issue."
To mitigate the problem, Philips recommended users update Tasy EMR HTML5 to Version 3.06.1804 or later with the latest available service pack where both CVEs are remediated.
-
Why Google DeepMind’s AlphaGo breakthrough paved the way for the generative AI revolutionNews AlphaGo's victory over Go champion Lee Sedol in 2016 gave a "definitive preview of the AI era" and laid the groundwork for today's powerful tools.
-
Handle calls like a boss with 3CX!We reveal how an AI-powered PA can handle calls in just one of the long list of improvements that comes with 3CX V20 Update 8
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
