The U.S. Cybersecurity and Infrastructure Safety Company (CISA) is warning of important vulnerabilities affecting Philips Tasy digital medical data (EMR) system that might be exploited by distant menace actors to extract delicate affected person information from affected person databases.
“Profitable exploitation of those vulnerabilities may lead to sufferers’ confidential information being uncovered or extracted from Tasy’s database, give unauthorized entry, or create a denial-of-service situation,” CISA stated in a medical bulletin issued on November 4.
Utilized by over 950 healthcare establishments primarily in Latin America, Philips Tasy EMR is designed as an built-in healthcare informatics answer that allows centralized administration of medical, organizational and administrative processes, together with incorporating analytics, billing, and stock and provide administration for medical prescriptions.
The SQL injection flaws — CVE-2021-39375 and CVE-2021-39376 — have an effect on Tasy EMR HTML5 3.06.1803 and prior, and will basically permit an attacker to change SQL database instructions, leading to unauthorized entry, publicity of delicate data, and even the execution of arbitrary system instructions. Each safety points have been ranked 8.8 out of 10 in severity:
- CVE-2021-39375: The affected product permits SQL injection through the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- CVE-2021-39376: The affected product permits SQL injection through the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
Nonetheless, it is value noting that making the most of these vulnerabilities necessitates that the menace actor is already in possession of the credentials that grant entry to the affected system.
“At the moment, Philips has obtained no experiences of exploitation of those vulnerabilities or incidents from medical use that we’ve got been in a position to affiliate with this downside,” the Dutch firm famous in an advisory. “Philips’ evaluation has proven that it’s unlikely that this vulnerability would influence medical use. Philips’ evaluation additionally signifies there isn’t a expectation of affected person hazard on account of this situation.”
All healthcare suppliers utilizing a weak model of the EMR system are beneficial to replace to model 3.06.1804. or later as quickly as doable to forestall potential real-world exploitation.