As part of a client request, our research team here at Finite State evaluated the firmware of medical devices on their network. In the course of this work, we found a critical vulnerability related to an insecure firmware update process and hard-coded credentials on the firmware of an IntelliVue WLAN module. The vulnerability could cause the device to become inoperable through corruption of its firmware. Newer versions of the WLAN hardware and firmware do not use this update process, and Philips is taking steps to ensure older devices and firmware are patched. A summary of affected devices is at the bottom of this post.
Since discovery, we’ve been working with Philips and CISA to disclose this vulnerability. ICS-VU-647317 released today, and this blog details some of our findings. Philips supports coordinated vulnerability disclosure, and encourages vulnerability testing by security researchers and by customers, with responsible reporting to the company.
The firmware update process for the IntelliVue WLAN Module is handled by the upgrade.sh script. This script is started as a background process during device initialization. It continuously checks for the existence of the hardcoded filename in an FTP log file to determine if an update has been uploaded to the device. When an update is found, the firmware is written to the device flash memory. Fortunately, this firmware update process was never used by Philips and was likely a remnant of development.
The IntelliVue WLAN Module has hard-coded credentials that an attacker can use to upload malicious firmware via FTP. The update script checks if the hardcoded filename is a valid image, but no security verification, such as checksum, hash or digital signature is performed. Once passed the image check, upgrade.sh then writes the uploaded firmware to the backup firmware partition residing in flash memory. The backup partition is then set to be the active boot device and the module is rebooted.
This vulnerability can lead to device failure through corruption of the device firmware. Successful exploitation requires hard-coded user credentials and adjacent network access to upload the firmware.
Philips maintains a product security page with information on coordinated vulnerability disclosure, with defined processes and contact points at https://www.usa.philips.com/a-w/security/coordinated-vulnerability-disclosure.html
The following table summarizes of the affected devices. Vulnerable devices are shown in columns labeled WLAN Version A and WLAN Version B. Philips recommends migrating to WLAN Version C where possible.
WLAN Version A | WLAN Version B | WLAN Version C | |
MP20 – 90
(M8001A/2A/3A/4A/5A/7A/8A/10A)
|
FW: A.03.09 | ||
MP5/5SC
(M8105A/5AS)
|
FW: A.03.09
Part #: M8096-67501 |
FW: B.00.31
Part #: 453564514531 |
|
MP2/X2
(M8102A/M3002A)
|
FW: A.01.09
Part #: N/A (Replaced by Version C) |
FW: B.00.31
Part #: 453564505891 |
|
MX800/700/600
(865240/41/42)
|
FW: A.01.09
Part #: N/A (Replaced by Version C) |
FW: B.00.31
Part #: 453564505901 |
For more, visit Philips Product Security or visit the official Cyber & Infrastructure Security Agency (CISA) advisory page.
Not all versions are affected, so please see the disclosure for more information.