Software Integrity

 

Synopsys finds 460 software vulnerabilities in hospital information system

PhilipsXper_AA-001-561

On Thursday researchers Mike Ahmadi of Synopsys and Billy Rios of Whitescope disclosed 460 vulnerabilities in Philips Xper Connect, an optional bidirectional hospital information system (HIS) interface. 272 of these vulnerabilities they said are present in 5 software packages present in the Xper-IM Connect system software. 188 of the vulnerabilities are associated with Windows XP operating system, which is no longer supported by Microsoft.

According to the Philips website, the Xper Connect family boasts more than 1,000 interface installations* with ADT, query ADT, billing, orders, inventory, labs, results, and discrete clinical data.

Exploitation of these vulnerabilities may allow a remote attacker to compromise an Xper-IM Connect system running Windows XP, Version 1.5.12 and prior versions. A breakdown of the vulnerabilities by Common Vulnerability Scoring System (CVSS) are as follows:

360 vulnerabilities were identified as having a CVSS base score of 7.0-10.0, and
100 vulnerabilities were identified as having a CVSS base score of 4.0-6.9.

Philips says that all the identified vulnerabilities can be addressed by upgrading the affected system to the Windows 2008-R2 operating system and to acquire software Version 1.5 Service Pack 13.

In March, Ahmadi and Rios identified 1,418 vulnerabilities in the CareFusion Pyxis SupplyStation. In that case, the product had been discontinued. In this case, there are more than 1,000 interface installations with ADT, query ADT, billing, orders, inventory, labs, results, and discrete clinical data, according to Philips.

For both vulnerability discoveries the researchers used Synopsys Protecode SC (formerly AppCheck).

Here is the official advisory from ICS-CERT.