Flaw in Philips ultrasound machines allows bypass of authentication

Photo credit Phillips

PARCA eNews – July 15, 2020 – Philips issued a warning about an authentication bypass affecting Philips Ultrasound Systems (CVE-2020-14477) that can potentially be used to allow an attacker to view or modify information. The vulnerability is due to the presence of an alternative path or channel that can be used to bypass authentication controls.
The flaw involves:

• Ultrasound ClearVue Versions 3.2 and prior
• Ultrasound CX Versions 5.0.2 and prior
• Ultrasound EPIQ/Affiniti Versions VM5.0 and prior
• Ultrasound Sparq Version 3.0.2 and prior and
• Ultrasound Xperius all versions

Philips has corrected the flaw for the Ultrasound EPIQ/Affiniti systems in its VM6.0 release.

For more information visit the Cybersecurity & Infrastructure Security Agency (CISA)

Users of these systems should contact their Philips representative for further information on installing the update.

Source: NIST National Vulnerability Database