Please find our Security Advisories here

Security Advisories

Microsoft Remote Procedure Call (RPC) Advisory (CVE-2023-2178) & (CVE-2023-23405) (2023 March 22)

Publication Date: 2023 March 22

Update Date: 2023 March 23

Philips is currently monitoring developments and updates related to two critical Remote Code Execution vulnerabilities (CVE-2023-21708) & (CVE-2023-23405) within the Remote Procedure Call Runtime library of Microsoft Windows Operating System. Successful exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to take control of the system.

Microsoft has already released a patch for these vulnerabilities as part of their March security update.

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866435 - CareEvent (B.x/C.x) ¹	837507 - IntelliSpace PACS ²	836240 - Universal Data Manager ²
Data Warehouse Connect ¹	866389 - PICix (All Versions) ¹	784001 – UroNav (3.0, 4.1)

For all above products Philips is evaluating the best possible mitigations.

¹ Software only products with customer owned Operating Systems.

² Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

CISA/FBI Ransomware Cybersecurity Advisory (2023 February 15)

Publication Date: 2023 February 15

Update Date: 2023 February 15

Philips is aware of the recent joint CISA, FBI, and HHS Cybersecurity Advisory (CSA) warning healthcare facilities of the risks associated with Ransomware attacks funding Democratic People’s Republic of Korea (DPRK) espionage activities.

This Alert (AA23-040A) highlights the fact that there has been an increase in the number of ransomware attacks that are being used to fund DPRK espionage activities targeting the Healthcare Industry. This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. Philips encourages all customers to visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.

For more information, see: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Note:

VMware ESXi OpenSLP Ransomware Attacks (CVE-2021-21974) - (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 10

Philips is aware and is currently monitoring developments and updates related to the recent Ransomware attacks in Europe, exploiting a heap-overflow vulnerability (CVE-2021-21974) within the OpenSLP service found on VMware’s ESXi Hypervisors.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

860426 - IntelliSpace ECG Management System (IECG) ¹	837507 – IntelliSpace PACS ²	Trace Master Vue 3.6 ¹
836240 - Universal Data Manager ² (UDM)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned operating systems.

² For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

Note:

Apache Commons Text Advisory (CVE-2022-42889) -Text4Shell (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 09

Philips is currently monitoring developments and updates related to the recently released Apache Commons Text advisory concerning a critical vulnerability(CVE-2022-42889) impacting Apache Commons Text Library versions 1.5 through 1.9.

In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Apple Security Update - (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 06

Philips is currently monitoring developments and updates related to the recently released Apple security update that addresses several vulnerabilities in multiple products. Successful exploitation of these vulnerabilities could allow an attacker to take control of the affected device.

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

JSON Web Token Advisory (CVE-2022-23529) - (2023 January 17)

Publication Date: 2023 January 17

Update Date: 2023 January 17

Philips is currently monitoring developments and updates related to the recently released critical security vulnerability (CVE-2022-23529) within JSON web token, an open-source JavaScript package that is used for authentication, authorization and for securely exchanging data.

Successful exploitation of this vulnerability could allow an attacker to perform a remote code execution attack. The latest version of JSON web token (9.0.0) is recommended as it includes a fix for the above-mentioned vulnerability.

 
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability - (2023 January 11)

Publication Date: 2023 January 11

Update Date: 2023 January 11

Philips is currently monitoring developments and updates related to the recent security zero-day vulnerability released by Linux.

Linux has released security updates to address a zero-day kernel vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.

Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

Any media inquiries should be directed to:

Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com