security main L

Please find our Security Advisories here

Security Advisories

SailPoint IdentityIQ Advisory (CVE-2024-10905) (2024 December 06)

Publication Date: 2024 December 06

Update Date: 2024 December 06

 

Philips is currently monitoring developments and updates related to the recently released SailPoint advisory. A critical vulnerability (CVE-2024-10905) exists within SailPoint’s IdentityIQ Identity and Access Management software which could allow unauthorized access to information stored within the application directory. SailPoint has released e-fixes for each impacted and supported version of IdentityIQ.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Palo Alto PAN-OS Advisories (CVE-2024-0012) and (CVE-2024-9474) (2024 November 22)

Publication Date: 2024 November 22

Update Date: 2024 November 22

 

Philips is currently monitoring developments and updates related to two vulnerabilities pertaining to Palo Alto PAN-OS. A critical vulnerability allows an authentication bypass in Palo Alto Networks PAN-OS software (CVE-2024-0012). This enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities.

 

The other is a medium severity privilege escalation vulnerability in Palo Alto Networks PAN-OS software (CVE-2024-9474). This allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Progress Kemp LoadMaster Advisory (CVE-2024-1212) (2024 November 22)

Publication Date: 2024 November 22

Update Date: 2024 November 22

 

Philips is currently monitoring developments and updates related to a critical severity vulnerability disclosed for Progress Kemp LoadMaster, which is an application delivery controller (ADC) and load-balancing solution used by large organizations to optimize app performance, manage network traffic, and ensure high service availability (CVE-2024-1212). Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Laravel Advisory (CVE-2024-52301) (2024 November 21)

Publication Date: 2024 November 21

Update Date: 2024 November 21

 

Philips is currently monitoring developments and updates related to a high severity vulnerability disclosed for Laravel, which is a popular web application framework (CVE-2024-52301). The vulnerability, if exploited, can expose Laravel-based applications to unauthorized access, data tampering, and privilege escalation. Laravel has released a patch to mitigate the issue on affected versions. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Windows Task Scheduler Advisory (CVE-2024-49039) (2024 November 18)

Publication Date: 2024 November 18

Update Date: 2024 November 18

 

Philips is currently monitoring developments and updates related to a critical vulnerability in Windows Task Scheduler (CVE-2024-49039) that was released as part of Windows November update. By exploiting this vulnerability, an attacker could execute restricted RPC functions, gaining escalated privileges. An authenticated attacker would need to run a crafted application on a target system, elevating their privileges to a Medium Integrity Level.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.


For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

867019 – IntelliVue XDS 1

866009 – IntelliVue IGS 1

865324/8866131/866458/867061 – IntelliVue Perinatal1

860426 – ISESG 1

860343 – ST80i 1

860292/860322 – Holter Tower 1

860420 – TraceMasterVue1

836240 – Universal Data Manager2

836344 – IntelliSpace Radiology2

835043/835044 – IntelliSpace PACS2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

1 Software only products with customer owned Operating Systems.

2 Philips hosting and managed services businesses are in the process of evaluating and validating patches to the hosting and managed infrastructures.

FortiManager Missing Authentication Advisory (CVE-2024-47575) (2024 October 30)

Publication Date: 2024 October 30

Update Date: 2024 October 30

 

Philips is currently monitoring developments and updates related to the FortiManager appliances (CVE-2024-47575).  This vulnerability pertains to missing authentication for critical function vulnerability in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability to be exploited in the wild.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Microsoft Configuration Manager Advisory (CVE-2024-43468) (2024 October 28)

Publication Date: 2024 October 28

Update Date: 2024 October 28

 

Philips is currently monitoring developments and updates related to a critical vulnerability (CVE-2024-43468) that was released as part of Microsoft’s October update. This vulnerability affects Microsoft Configuration Manager and can remotely execute code if exploited successfully


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

CIsco Adaptive Security Appliance Software Advisory (CVE-2024-20329) (2024 October 28)

Publication Date: 2024 October 28

Update Date: 2024 October 28

 

Philips is currently monitoring developments and updates related to a critical vulnerability (CVE-2024-20329) within Cisco’s Adaptive Security Appliance Software (ASA).  A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

CIsco VPN Routers Advisory (CVE-2024-20393 & CVE-2024-20470) (2024 October 14)

Publication Date: 2024 October 14

Update Date: 2024 October 14

 

Philips is currently monitoring developments and updates related to two critical vulnerabilities (CVE-2024-20393 and CVE-2024-20470) within Cisco’s Small Business Dual WAN Gigabit VPN Routers. The affected routers have reached end-of-life maintenance and cannot be patched. Cisco recommends customers to upgrade to the latest supported routers.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Windows Zero-Day Vulnerability Advisory (CVE-2024-43572 and CVE-2024-43573) (2024 October 14)

Publication Date: 2024 October 14

Update Date: 2024 October 14

 

Philips is currently monitoring developments and updates related to two zero-day vulnerabilities that Microsoft released patches for.  Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572) and Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573). Both vulnerabilities have been reported as being actively exploited. Microsoft has released mitigations and strongly recommends patching immediately.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Fortinet Data Breach Advisory (2024 September 20)

Publication Date: 2024 September 20

Update Date: 2024 September 20

 

Philips is currently monitoring developments and updates related to a security alert, issued in response to a data breach impacting Fortinet, a company that provides secure networking products and services.

For more information, see: Notice of Recent Security Incident


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

VMWare VMSA-2024-0019 Advisory (CVE-2024-38812 & CVE-2024-38813) (2024 September 20)

Publication Date: 2024 September 20

Update Date: 2024 September 23

 

Philips is currently monitoring developments and updates related to the recently released VMware advisory VMSA-2024-0019. VMware has confirmed that two vulnerabilities (CVE-2024-38812 & CVE-2024-38813) exist in their vCenter Server and cloud foundation products. VMware has released updates to help remediate the vulnerabilities.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

837507 – IntelliSpace PACS 1

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Windows Update Downgrade Attack Advisory (CVE-2024-38202 and CVE-2024-21302) (2024 September 20)

Publication Date: 2024 September 20

Update Date: 2024 September 25

 

Philips is currently monitoring developments and updates related to two critical vulnerabilities (CVE-2024-38202 and CVE-2024-21302) that could be exploited in downgrade attacks to "unpatch" a  fully updated Windows operating system. In downgrade attacks, threat actors force an up-to-date target device to roll back to older software versions, reintroducing previously mitigated vulnerabilities.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by these vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

989706010001 – Corsium 1

860443 - ECI Event and Device Readiness 1

837507 – IntelliSpace PACS 1

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Philips hosting and managed services businesses are in the process of evaluating and validating patches to the hosting and managed infrastructures.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Windows Critical TCP IPv6 Advisory (CVE-2024-38063) (2024 August 30)

Publication Date: 2024 August 30

Update Date: 2024 November 12

 

Philips is currently monitoring developments and updates related to a Critical TCP/IP Remote Code Execution (RCE) Vulnerability in Microsoft Windows (CVE-2024-38063). This vulnerability affects all systems running IPv6, which is enabled by default. Microsoft has released mitigations and strongly recommends patching immediately, as well as disabling IPv6 if not used.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require any security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary.

Affiniti (V4.0 – 10.0)

Compact 5000 (V1.0x)

Interventional Workspot 9.0.x/8.x/1.3/1.4.x/1.5.x/1.6.x/1.8.x

722063 - Azurion Rx.x

Echonav 2/3/4

881001/881011 – IntelliSpace Portal v12 2

723001 - Allura 8.x.30/8.x.100

867126 - ECI Patient Care Reporting (API) 2

867061 - IntelliSpace Perinatal (ISP)1

989706010001 – Corsium 2

860443 - ECI Event and Device Readiness 2

867019 - IntelliVue XDS1

Coronary Tools 3.1

EPIQ (V4.0 – 10.0)

860426 – IntelliSpace ECG 1

ClearVue (V3.3x)

860292 – Holter SW1,3

Sparq (V3.5x)

CX50 (V5.5x)

866009 - IntelliVue Guardian Software (IGS)1

Zenition  10/30/50/70/90

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 Philips hosting and managed services businesses are in the process of evaluating, validating and utilizing Microsoft Extended Security Updates (ESUs) to the hosting and managed infrastructures.

3 Information regarding validated OS or ESU available in Incenter.

Windows SmartScreen Security Bypass Vulnerability (CVE-2024-38213) (2024 August 16)

Publication Date: 2024 August 16

Update Date: 2024 August 16

 

Philips is currently monitoring developments and updates related to a SmartScreen security bypass vulnerability within Microsoft Windows (CVE-2024-38213). Microsoft has released mitigations and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Windows Ancillary Function Driver for WinSock (CVE-2024-38193) (2024 August 16)

Publication Date: 2024 August 16

Update Date: 2024 August 16

 

Philips is currently monitoring developments and updates related to a critical elevation of privilege escalation vulnerability within Microsoft Windows Ancillary Function Driver for WinSock (CVE-2024-38193). Microsoft has released mitigations and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Microsoft Windows Power Dependency Coordinator Advisory (CVE-2024-38107) (2024 August 15)

Publication Date: 2024 August 15

Update Date: 2024 August 15

 

Philips is currently monitoring developments and updates related to a critical elevation of privilege vulnerability within the Microsoft Windows Power Dependency Coordinator component. (CVE-2024-38107). Microsoft has released mitigations and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Windows Kernel Privilege of Escalation Advisory (CVE-2024-38106) (2024 August 15)

Publication Date: 2024 August 15

Update Date: 2024 August 15

 

Philips is currently monitoring developments and updates related to a critical elevation of privilege vulnerability within Microsoft Windows Kernel. (CVE-2024-38106). Microsoft has released mitigations and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Windows Remote Desktop Licensing Service RCE Advisory (CVE-2024-38077) (2024 August 13)

Publication Date: 2024 August 13

Update Date: 2024 August 13

 

Philips is currently monitoring developments and updates related to a critical vulnerability within Microsoft’s Remote Desktop Licensing Service. (CVE-2024-38077). Microsoft has released mitigations and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Microsoft CrowdStrike Outage (2024-July-19)

Publication Date: 2024 July 19

Update Date: 2024 July 19

 

Philips is currently monitoring developments and updates related to the world-wide outage on Windows systems. The outage was triggered unintentionally by an update CrowdStrike pushed out. CrowdStrike has already rolled back the update and a fix for the defect has been deployed. See the below link for the official statement:

Statement on Falcon Content Update for Windows Hosts - crowdstrike.com


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Crowdstrike's vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866389/867141 – PICix*

Note:

*Please have your IT department contact CrowdStrike for next steps and remediation.

Philips VuePACS (2024-July-18)

Publication Date: 2024-July-18

Update Date: 2024-November-26

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding potential vulnerabilities related to Philips Vue PACS versions prior to 12.2.8.410.

 

Under specific conditions, the potential security vulnerabilities identified by Philips could allow an attacker to gain access to the database, which could impact system availability and data integrity or cause a denial-of-service condition.

 

To date, Philips has not received any reports of patient harm, exploitation of these issues or incidents from clinical use that we have been able to associate with these issues.

 

Philips recommends the following mitigations:

 

  • For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. Vue PACS version 12.2.8.410 prevents this vulnerability.
  • For CVE-2023-40704, Philips recommends no action needed due to low risk of exploitability, but customers can request that Philips update database password(s).

 

Philips has reported this vulnerability publicly and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

 

CISA website: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01

 

TeamViewer Advisory (CVE-2024-0819) (2024 July 11)

Publication Date: 2024 July 11

Update Date: 2024 July 11

 

Philips is currently monitoring developments and updates related to a vulnerability (CVE-2024-0819) with TeamViewer. This vulnerability allows improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

OpenSSH RegreSSHion Advisory (CVE-2024-6387) (2024 July 8)

Publication Date: 2024 July 8

Update Date: 2024 July 8

 

Philips is currently monitoring developments and updates related to a critical vulnerability (CVE-2024-6387) within OpenSSH, a suite of secure networking utilities based on the SSH protocol that are essential for secure communication over unsecured networks. It provides robust encryption, secure file transfers, and remote server management.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Progress Telerik Report Server Advisory (Multiple CVE's) (2024 June 17)

Publication Date: 2024 June 17

Update Date: 2024 June 17

 

Philips is currently monitoring developments and updates related to two critical vulnerabilities within Progress’s Telerik Report Server (CVE-2024-1800, CVE-2024-4358). Progress recommends updating to the latest version of Telerik Report Server that addresses the two critical vulnerabilities.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Snowflake Advisory (2024 June 10)

Publication Date: 2024 June 10

Update Date: 2024 June 10

 

Philips is currently monitoring developments and updates related to a series of targeted attacks on Snowflake’s enterprise customers, a cloud-based data warehouse vendor providing cloud-based data storage and analytics services.


Snowflake has issued recommendations for customers to query for unusual activity and conduct further analysis to prevent unauthorized user access. Users are also encouraged to hunt for any malicious activity and report any positive findings to CISA.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

HPE FlexNetwork and FlexFabric Switches Vulnerability (CVE-2024-22439) (2024 May 23)

Publication Date: 2024 May 23

Update Date: 2024 May 23

 

Philips is currently monitoring developments and updates related reports of A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products (CVE-2024-22439). This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

835043/835044 – Intellispace PACS 1

For all above products Philips is evaluating the best possible mitigations.

 

1 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

F5 BIG-IP Multiple Vulnerabilities (CVE-2024-21793 and CVE-2024-26026) (2024 May 17)

Publication Date: 2024 May 16

Update Date: 2024 May 16

 

Philips is currently monitoring developments and updates related reports of multiple vulnerabilities with F5 BIG-IP (CVE-2024-21793 and CVE-2024-26026). The vulnerabilities reside in BIG-IP Next Central Manager, a component in the latest generation of the BIG-IP line of appliances organizations use to manage traffic going into and out of their networks.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Cisco ArcaneDoor Advisory (Multiple CVE's) (2024 April 30)

Publication Date: 2024 April 30

Update Date: 2024 April 30

 

Philips is currently monitoring developments and updates related to a recently released Cisco advisory addressing ArcaneDoor, an attack campaign exploiting Cisco Adaptive Security Appliances (ASA) devices and Cisco Firepower Threat Defense (FTD) software.


Cisco has released patches for three vulnerabilities (CVE-2024-20353, CVE-2024-20359, CVE-2024-20358) and strongly recommends patching immediately.


Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Sisense Advisory (2024 April 16)

Publication Date: 2024 April 16

Update Date: 2024 April 18

 

Philips is currently monitoring developments and updates related to a CISA security alert, issued in response to a compromise discovered by independent security researchers impacting Sisense, a company that provides data analytics services.


For more information, see: Compromise of Sisense Customer Data | CISA


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require any security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this Sisense incident. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary. 

Philips VitalHealth Questionnaire Manager 6.3.3.0 1

For all the above mentioned products, Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Information available on Philips Incenter. Please contact your local service support team.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are not impacted by this Sisense cybersecurity incident and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Terrapin Attack SSH Advisory (CVE-2023-48795) (2024 April 8)

Publication Date: 2024 April 8

Update Date: 2024 May 16

 

Philips is currently monitoring developments and updates related to a SSH transport protocol vulnerability (CVE-2023-48795) that affects many SSH client and server implementations. This vulnerability, also known as the "Terrapin attack", could allow an attacker to downgrade the security of a SSH connection by manipulating information transferred during the connection's initial handshake/negotiation sequence.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

718133 – Zenition 70

MsMs 2

 Home+ 2

867173 – VitalSky

453564235171/81 – Smarthopping 2

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

Google Chrome Advisory (CVE-2024-2883) (2024 April 5)

Publication Date: 2024 April 5

Update Date: 2024 April 5

 

Philips is currently monitoring developments and updates related reports of A critical severity Zero-day vulnerability affecting all Chromium based browsers – including Edge – was disclosed recently.(CVE-2024-2883). The vulnerability affects ANGLE or Almost Native Graphics Layer Engine, used within WebGL graphics renderer. The issue was initially disclosed by Chrome, and then further by Microsoft, which confirmed that, as per Google, it was being exploited, and affects Microsoft Edge browsers.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866435 – Care Event 1

866389 - PICix (All Versions) 1

Data Warehouse Connect 1

867113 – Focal Point1

Acute Patient Monitoring Platform (ACPMP)

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

XZ Utils Advisory (CVE-2024-3094) (2024 April 5)

Publication Date: 2024 April 5

Update Date: 2024 April 5

 

Philips is currently monitoring developments and updates related reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.(CVE-2024-3094). XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.


CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

DICOM Element Parsing Advisory (CVE-2024-24793, CVE-2024-24794) (2024 March 15)

Publication Date: 2024 March 15

Update Date: 2024 March 15

 

Philips is currently monitoring developments and updates related to two use-after-free vulnerabilities discovered within DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5.(CVE-2024-24793, CVE-2024-24794). A patch to address the above critical vulnerabilities has been issued.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Linux Kernel Advisory (CVE-2024-26582) (2024 February 29)

Publication Date: 2024 February 29

Update Date: 2024 February 29

 

Philips is currently monitoring developments and updates related to a vulnerability within the Linux kernel (CVE-2024-26582). A use-after-free vulnerability was found in the tls subsystem of the Linux kernel. The tls_decrypt_sg() function doesn't take references on the pages from clear_skb, so the put_page() in tls_decrypt_done() releases them and a use-after-free can be triggered in process_rx_list when trying to read from the partially-read skb. This issue could lead to a denial of service condition or code execution.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IIT REACTS 1

Collaboration Live 1

Cardiologs 1

863359/863380 - EarlyVue VS301

For all above products Philips is evaluating the best possible mitigations.

 

1 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Ivanti Connect Secure and Policy Secure Advisory (Multiple CVE's) (2024 February 12)

Publication Date: 2024 February 12

Update Date: 2024 February 12

 

Philips is currently monitoring developments and updates related to multiple vulnerabilities discovered within all supported versions of Ivanti Connect Secure and Policy Secure products (CVE-2024-21888, CVE-2024-21893, CVE-2023-46805, CVE-2024-21893). Ivanti has released a patch to address the above critical vulnerabilities.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

GitLab Critical Vulnerability (CVE-2023-7028) (2024 January 26)

Publication Date: 2024 January 25

Update Date: 2024 January 25

 

Philips is aware and is currently monitoring developments and updates related to the recent GitLab critical zero-click account hijacking vulnerability (CVE-2023-7028).

 

The vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.7.1 and was addressed with the release of GitLab versions 16.5.6, 16.6.4, and 16.7.2. The fix was backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Citrix NetScaler ADC and Gateway (CVE-2023-6548, CVE-2023-6549) (2024 January 22)

Publication Date: 2024 January 22

Update Date: 2024 January 22

 

Philips is currently monitoring developments and updates related to two vulnerabilities discovered in Citrix ADC and Gateway (CVE-2023-6548, CVE-2023-6549). Applicable products include Citrix NetScaler ADC and NetScaler Gateway.

 

These vulnerabilities affect the following supported versions of NetScaler ADC and NetScaler Gateway:

 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from these reported vulnerabilities and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

 

Any media inquiries should be directed to:


Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com

You are about to visit a Philips global content page

Continue

You are about to visit a Philips global content page

Continue

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.