There were three medium severity vulnerabilities found in Philips MRI products, which an unauthorized person can exploit to be able to run the software program, alter the device settings, access and update files, and export information, which include protected health information (PHI), to an untrusted location.
Aguilar discovered inadequate access controls which did not limit access by unauthorized persons (CVE-2021-3083), the software designates an owner who is beyond the designed control sphere (CVE-2021-3085), and sensitive information is exposed to persons who must not be given access (CVE-2021-3084). The three vulnerabilities had an assigned CVSS V3 base rating of 6.2 out of 10.
Secureworks Adversary Group consultant, Michael Aguilar, identified the vulnerabilities. The vulnerabilities have an impact on MRI 3T: Version 5.x.x and Philips MRI 1.5T: Version 5.x.x. Aguilar told Philips about the vulnerabilities and scheduled a patch to be released on October 2022. Meanwhile, Philips advises the implementation of mitigating steps to stop the exploitation of the vulnerabilities.
The mitigations consist of just running the Philips MRI machines based on authorized criteria, making sure physical and logical settings are applied. Only authorized individuals must be permitted to access the location of the MRI machines, and all the information for utilizing the machines furnished by Philips ought to be observed.
Philips did not receive any report of exploitation of the vulnerabilities. There were also no reports of incidents the products had been clinically used in connection with the three vulnerabilities.