CVE-2021-39376 – This SQL injection vulnerability in Philips Hea... (How to Fix)

Q: What is the severity of CVE-2021-39376?

CVE-2021-39376 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in Philips Healthcare Tasy EMR 3.06 allows attackers to execute arbitrary SQL commands via specific parameters in the CorCad_F2/executaConsultaEspecifico endpoint. This affects healthcare organizations using the vulnerable Tasy EMR software, potentially compromising patient data and system integrity.

📋 TL;DR

This SQL injection vulnerability in Philips Healthcare Tasy EMR 3.06 allows attackers to execute arbitrary SQL commands via specific parameters in the CorCad_F2/executaConsultaEspecifico endpoint. This affects healthcare organizations using the vulnerable Tasy EMR software, potentially compromising patient data and system integrity.

💻 Affected Systems

Products:

Philips Healthcare Tasy Electronic Medical Record (EMR)

Versions: Version 3.06

Operating Systems: Windows Server (typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the CorCad_F2/executaConsultaEspecifico endpoint with IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameters. Healthcare environments with internet-facing interfaces are at highest risk.

📦 What is this software?

Tasy Electronic Medical Record by Philips

View all CVEs affecting Tasy Electronic Medical Record →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to patient data theft, system takeover, and potential manipulation of medical records affecting patient care.

🟠

Likely Case

Unauthorized access to sensitive patient health information (PHI), potential data exfiltration, and privilege escalation within the EMR system.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH if the Tasy EMR web interface is exposed to the internet, as SQL injection can be exploited remotely.

🏢 Internal Only: HIGH even if only internally accessible, as attackers could pivot from other compromised systems or malicious insiders could exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with readily available tools. The specific parameters and endpoint are documented in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Philips Healthcare for patched version

Vendor Advisory: https://www.philips.com/healthcare/productsecurity

Restart Required: Yes

Instructions:

1. Contact Philips Healthcare support for the security patch. 2. Apply the patch following vendor instructions. 3. Restart the Tasy EMR application/services. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests to the vulnerable endpoint.

Network Segmentation

all

Restrict access to the Tasy EMR interface to only authorized healthcare personnel and systems.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at the application layer if source code access is available.
Monitor and block suspicious SQL patterns in database logs and network traffic to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Test the CorCad_F2/executaConsultaEspecifico endpoint with SQL injection payloads in IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameters. Use tools like sqlmap with caution in production.

Check Version:

Check Tasy EMR version in application interface or configuration files (typically 3.06 indicates vulnerable).

Verify Fix Applied:

Retest the vulnerable endpoint with SQL injection payloads after patching; successful attacks should be blocked. Check application logs for proper input handling.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs from the Tasy application
Multiple failed login attempts or parameter manipulation in web server logs for CorCad_F2/executaConsultaEspecifico

Network Indicators:

HTTP requests to CorCad_F2/executaConsultaEspecifico with SQL keywords (e.g., UNION, SELECT, INSERT) in parameters

SIEM Query:

source="web_server" AND uri="*CorCad_F2/executaConsultaEspecifico*" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*")

📊 Metadata

CVE ID: CVE-2021-39376

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

https://diesec.home.blog/2021/08/24/philips-tasy-emr-3-06-sql-injection-cve-2021-39375cve-2021-39376/ Exploit,Third Party Advisory
https://diesec.home.blog/2021/08/24/philips-tasy-emr-3-06-sql-injection-cve-2021-39375cve-2021-39376/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39376, you might also want to check these: