ICSMA-21-187-01 · Published 2022-04-05 · View on CISA ICS-CERT ↗

Philips Vue PACS (Update B)

CVSS 9.8 CRITICAL CISA KEV — Known Exploited

Risk Summary

Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.

CVEs (16)

CVE-2020-1938 CVE-2018-12326 CVE-2018-11218 CVE-2020-4670 CVE-2018-8014 CVE-2021-33020 CVE-2018-10115 CVE-2021-27501 CVE-2021-33018 CVE-2021-27497 CVE-2012-1708 CVE-2015-9251 CVE-2021-27493 CVE-2019-9636 CVE-2021-33024 CVE-2021-33022

Remediations

Philips recommends configuring the Vue PACS environment per D000763414 - Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.
Philips released Version 12.2.1.5 in June of 2020 for MyVue that remediates CWE-693 and recommends contacting support below.
Philips released Version 12.2.1.5 in June of 2020 for Vue Motion that remediates CWE-324 and recommends contacting support below.
Philips released Version 12.2.8.0 in May of 2021 for Speech that remediates CWE-693, CWE-319, CWE-119, CWE-287, and CWE-1214 and recommends contacting support below.
Philips released Version 12.2.8.0 in May of 2021 for PACS that remediates CWE-20, CWE-119, CWE-287 and recommends contacting support below.
Philips released a security fix for Speech in Nov 2021 that remediates CWE-665 and CWE-327 and recommends contacting support below.
Philips released version 12.2.1.6 in December 2021 for VuePAC (WFM), Vue Motion (Enterprise Viewer), Vue Explorer, and Web System Configuration that remediates CWE-23.
Philips released Version 12.2.8.100 in Q1 / 2022 for MyVue that remediates CWE-665 and CWE-710 and recommends contacting support below.
Philips released Version 12.2.8.100 in Q1 / 2022 for PACS that remediates CWE-79, CWE-693, CWE-665, CWE-1188, CWE-327, CWE-176, CWE-522, CWE-710, and CWE-707 and recommends contacting support below.
Philips will release a fix for PACS that remediates CWE-522 with low score of 3.7 in Q3 2023.
Releases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact a Philips Sales representative or submit a quote request in the eService portal at: Login - eService (philips.com).
The Philips advisory is available.
Please see the Philips product security website for the latest security information for Philips products.

Affected Vendors

Philips

Affected Products (4)

Philips · Vue PACS <= 12.2.x.x

Philips · Vue Motion <= 12.2.1.5

Philips · Vue MyVue <= 12.2.x.x

Philips · Vue Speech <= 12.2.x.x

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more