security main L

Please find our Security Advisories here

Security Advisories

OFFIS DCMTK Vulnerabilities (Multiple CVE's) (2022 June 29)

Publication Date: 2022 June 29

Update Date: 2022 June 29

 

Philips is currently monitoring developments and updates related to the recently released OFFIS advisory concerning multiple vulnerabilities (CVE-2022-2119), (CVE-2022-2120), (CVE-2022-2121) within several versions (All prior to 3.6.7) of the DCMTK libraries and software.

Successful execution of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions. 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

CISA Emergency Directive VMware (Multiple CVE's) (2022 May 20)

Publication Date: 2022 May 20

Update Date: 2022 May 20

 

Philips is currently monitoring developments and updates related to the recently released CISA directive concerning multiple vulnerabilities in several VMware products. The emergency directive is in response to observed or expected active exploitation of a series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products:

 

  • VMware Workspace ONE Access (Access),
  • VMware Identity Manager (vIDM),
  • VMware vRealize Automation (vRA),
  • VMware Cloud Foundation,
  • vRealize Suite Lifecycle Manager (impacted VMware products).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing the vulnerable VMware products for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for VMware updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. 

F5 Advisory (CVE-2022-1388) (2022 May 13)

Publication Date: 2022 May 13

Update Date: 2022 May 27

 

Philips is currently monitoring developments and updates related to the recently released F5 security alert concerning a critical vulnerability (CVE-2022-1388) within the iControl REST component of their BIG-IP product line. F5 has already released recommended actions and mitigations to help eliminate the vulnerability.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IS PACS
Universal Data Manager (UDM)

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Denial of Service Vulnerability on Cluster Shared Volumes (CVE-2022-26784) (2022 April 27)

Publication Date: 2022 April 27

Update Date: 2022 June 8

 

Philips is currently monitoring developments and updates related to the recently released update for Microsoft Denial of Service vulnerability on Cluster Shared Volumes (CSV) advisory. (CVE-2022-26784)


Microsoft has already released a patch for this vulnerability as part of their April security update.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified. 

Holter Recorder DigiTrak XT (DTXT) - v3.0.4 1,2
IntelliSpace ECG - TMV C.03.06
ST80i - A.03.01.00 1,2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

1 Software only products with customer owned Operating Systems.

2 Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Remote Procedure Call (RPC) Advisory (CVE-2022-26809) (2022 April 26)

Publication Date: 2022 April 26

Update Date: 2022 May 27

 

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-26809) within the Remote Procedure Call Runtime library of Microsoft Windows Operating System. Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to take control of the system.


Microsoft has already released a patch for this vulnerability as part of their April security update.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

CareEvent (B.x/C.x)2
IntelliSpace Portal Server (10.0/11.0) 1,2
UroNav
Data Warehouse Connect
IntelliSpace Portal Server (12.0)1,2
VUE PACS (12.1.5, 12.2.1, 12.2.5, 12.2.8)
PICix (All Versions) 1,2
ISP Enterprise Concerto (11.0) 1,2
VUE RIS (11.3, 11.5)
IntelliSpace PACS
Universal Data Manager

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

1 Software only products with customer owned Operating Systems.

2 Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Network File System Advisory (CVE-2022-24991) (2022 April 15)

Publication Date: 2022 April 15

Update Date: 2022 May 26

 

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-24991) within Microsoft’s Network File System protocol. Successful exploitation of the vulnerability could allow an attacker to enable a remote code execution.


Microsoft has already released a patch for this vulnerability as part of their April security update.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IntelliBridge Enterprise (B.6-B.16) 1,2
IntelliSpace Perinatal 1
IntelliVue Guardian Software 1
IntelliSpace Concerto (10,11,12)1,2
IntelliSpace Portal (10,11,12)1,2
IntelliVue XDS 1

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:


1 Software only products with customer owned Operating Systems.

2 Information or patch available in Incenter. Please contact your local service support team.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

VMWare Spring Cloud Function Advisory (CVE-2022-22963) (2022 April 6)

Publication Date: 2022 April 6

Update Date: 2022 May 2

 

Philips is currently monitoring developments and updates related to the recently released VMWare Spring Cloud Function advisory concerning a critical vulnerability impacting Spring Cloud Function versions 3.1.6, 3.2.2 and earlier versions (CVE-2022-22963)


The vulnerability affects spring expression language (SpEL) injection impacting Spring Cloud Function. An exploit was observed in open source. Security researchers allegedly observed a significant amount of activity regarding CVE-2022-22963.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

CardioVascular Scheduler 4.0
For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching
VMware Spring4Shell Advisory (CVE-2022-22965) (2022 April 5)

Publication Date: 2022 April 5

Update Date: 2022 April 27

 

Philips is currently monitoring developments and updates related to the recently released VMware Spring advisory concerning a critical Remote Code Execution vulnerability (CVE-2022-22965) within the Spring Core Java framework and known as “Spring4Shell”.

 

The vulnerability impacts the Spring MVC and Spring WebFlux applications. Successful execution of this vulnerability could allow a remote attacker to take control of the affected system.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips e-Alert Hardware Advisory (2022 March 29)

Publication Date: 2022 March 29

Update Date: 2022 March 29

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips e-Alert hardware solution, versions 2.7 and prior.

 

Regarding the Philips e-Alert hardware solution, versions 2.7 and prior, the company has identified one potential vulnerability that may allow an attacker within the same subnet to impact system availability. The vulnerability may allow attackers of low skill to issue an unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution. To restore system operation, the e-Alert hardware solution needs to be manually powered on again.

 

At this time, Philips has received no reports of exploitation of this vulnerability. Philips e-Alert hardware solution is not a medical device, therefore there is no risk to patient safety.

 

Philips has reported this vulnerability publicly and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

 

Users with questions regarding their specific Philips e-Alert hardware solution are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions .


Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://www.cisa.gov/uscert/ics/advisories/icsma-22-088-01

Apache APISIX Advisory (CVE-2022-24112) (2022 March 29)

Publication Date: 2022 March 29

Update Date: 2022 March 29

 

Philips is currently monitoring developments and updates related to the recently released Apache APISIX advisory concerning a critical vulnerability impacting Apache APISIX versions 2.10.3 and earlier and APISIX versions 2.11.0 through 2.12.0. (CVE-2022-24112)


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Apache Log4J 1.x Advisory (Multiple CVE’s) (2022 March 28)

Publication Date: 2022 March 28

Update Date: 2022 May 2

 

Philips is currently monitoring developments and updates related to multiple vulnerabilities found within Apache’s Log4J 1.x. Since Log4J 1.x is End of Life and no longer supported, Apache’s recommendation is to upgrade to the latest version of the utility, Log4j 2.x.


CVE-2021-4104

CVE-2020 -9488

CVE-2019-17571

CVE-2022-23302

CVE-2022-23305

CVE-2022-23307

 

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s Log4j utility for potential impacts from these reported vulnerabilities and validating actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. https://incenter.medical.philips.com

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to these vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IntelliVue XDS1
VuePACS (12.1.5, 12.2.x)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Software only products with customer owned Operating Systems. For products solutions where the server was provided it is customer responsibility to validate and deploy patches.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Windows IKE Extension Advisory (CVE-2022-21849) (2022 March 23)

Publication Date: 2022 March 23

Update Date: 2022 May 10

 

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-21849) within the IKE Extension component of Microsoft Windows Operating System. Microsoft has already released a patch for this vulnerability as part of their January security update.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions. At this time, Philips has identified a limited number of products that may be affected by this vulnerability. However, these products currently have validated software updates available that will prevent this issue from occurring. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

CareEvent (C.0x)1,2
IntelliSpace Perinatal (K.x) 1,2
IntelliVue Guardian Software (E.0x)1,2
Data Warehouse Connect2
IntelliSpace Portal Server (11.0/12.0)1,2
PICiX (C.0x)2
FocalPoint (A.0/A.01)1,2
IntelliSpace Portal Enterprise (12.0)1,2
IntelliBridge Enterprise (B.09-B.15)1,2
ISP Enterprise Concerto (12.0)1,2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Software only products with customer owned Operating Systems.

2 Information or patch available in Incenter. Please contact your local service support team.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

APC TLStorm Advisory (Multiple CVE’s) (2022 March 11)

Publication Date: 2022 March 11

Update Date: 2022 March 22

 

Philips is currently monitoring developments and updates related to the recently released Armis Advisory concerning three critical 0-day vulnerabilities and referred to as “TLStorm”. (CVE-2022-22805, CVE-2022-2806, CVE-2022-0715)

 

The vulnerabilities affect APC’s Smart-UPS devices that provide emergency backup power to mission critical assets. Successful exploitation to these vulnerabilities could allow remote attackers to take over the Smart-UPS devices and execute a remote code execution attack.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Access:7 PTC Axeda Advisory (Multiple CVE’s) (2022 March 8)

Publication Date: 2022 March 8

Update Date: 2022 May 2

 

Philips is currently monitoring developments and updates related to a recently published CISA Advisory concerning multiple vulnerabilities affecting all versions of PTC’s Axeda Agent and Axeda Desktop Sever for Windows.

 

Axeda Agent and Axeda Desktop Server are a remote access connectivity software used as part of a cloud based IoT platform. Successful exploitation of the vulnerabilities could lead to remote code execution, log information access, file system read access and a denial-of-service condition.

 

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing PTC’s vulnerable Axeda products for potential impacts from these reported vulnerabilities and validating actions.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be vulnerable to PTC’s Axeda vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Capsule Support Access Tool
Respilink

Note:

Capsule products are not impacted by these vulnerabilities. Customers who have not used the Capsule Support Access Tool are not impacted. For Philips Capsule customers who opted for remote support through Capsule Support Access Tool, Philips is in the decommissioning process and will be sending out security notices that would include remediation and mitigation steps.

 

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are not affected by this vulnerability

CISA's Shields Up Advisory (2022 February 25)

Publication Date: 2022 February 25

Update Date: 2022 March 2

 

Philips is currently monitoring developments and updates related to the recently released Shields Up Advisory by the Cybersecurity and Infrastructure Security Agency (CISA), which is related to recent cyber-attacks on the Ukrainian government and critical infrastructure organizations.

 

The advisory recommends organizations to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Philips strongly recommends that customers follow CISA’s guidance and recommendations to make near-term progress towards improving cybersecurity and resilience.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

For customers who utilize the Philips Remote Services Network (RSN, PRS), all customers are advised against geo-blocking or disconnecting the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

PwnKit Advisory (CVE-2021-4034) (2022 January 28)

Publication Date: 2022 January 28

Update Date: 2022 May 2

 

Philips is currently monitoring developments and updates related to the recently published Red Hat advisory (CVE-2021-4034) concerning a local privilege escalation vulnerability and referred to as “Pwnkit”. 

 

This vulnerability is found on polkit's pkexec utility which is installed by default on all major Linux distributions. According to Red Hat, successful exploitation of this vulnerability could allow an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-4034. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Philips IntelliSite Pathology Solution - Ultra Fast Scanner

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips Engage Software (2022 January 6)

Publication Date: 2022 January 6

Update Date: 2022 January 6

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Engage Software (Version 6.2.1 and prior).

 

Philips has already released and deployed to all customers an updated version (6.2.2) on September 28, 2021 in which the vulnerability was fixed. The current version of this software is version 6.2.3. which was released November 25, 2021.

 

The identified issue that has been corrected is a low-severity vulnerability (CVSS v3 score of 2.6 on a scale of 10) regarding improper access control (CWE-284). If exploited, this issue may allow an authenticated user to potentially view business contact information.

 

This issue requires a medium skill level and authenticated user login credentials to exploit.

 

At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this problem. Engage is a patient portal and medical device software under regulations in the markets where it is offered. Engage is used solely to support the self-management of patients and their care network and is not meant to be used for therapeutic or diagnostic purposes.

 

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

 

Users with questions regarding their specific Philips Engage software are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

Cybersecurity & Infrastructure Security Agency (CISA) Advisory:

https://www.cisa.gov/uscert/ics/advisories/icsma-22-006-01

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

 

Any media inquiries should be directed to:


Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com

You are about to visit a Philips global content page

You are about to visit the Philips USA website.

You are about to visit a Philips global content page

You are about to visit the Philips USA website.

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.