product security main L

Please find our Security Advisories here

Security Advisory Archives (2020)

SolarWinds Advisory (14 December 2020)

Publication Date: 2020 December 14 

Update Date:  2021 January 22 


Philips is currently monitoring developments related to recent reports of a security breach affecting the SolarWinds Orion Platform software.


Our global security teams are analyzing updates from SolarWinds, in the event that this issue may potentially be related to known security vulnerabilities.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our solutions. The company is a recognized leader in health technology cybersecurity. As part of the global Philips Product Security Policy, the company conducts extensive, ongoing analysis of our solutions, often in collaboration with customers, researchers, and government agencies.

 

Begin Update A: 2021 January 13

 

Philips does not utilize Solarwinds in an external facing capacity when servicing or monitoring medical devices through Philips Remote Service Network (RSN/PRS).

End Update A
 

Begin Update B: 2021 January 22

 

To date, Philips’s review has not identified products affected by the Solarwinds software vulnerabilities. Philips does not utilize Solarwinds in an external facing capacity when servicing or monitoring medical devices through Philips Remote Service Network (RSN/PRS). Our review and analysis is ongoing.


End Update B

FireEye Advisory (10 December 2020)

Publication Date: 10 December 2020 

Update Date:  10 December 2020

Philips is currently monitoring developments related to recent reports of a security breach affecting U.S. security firm FireEye.

At this time, Philips does not utilize services from FireEye. Our global security teams are analyzing updates from FireEye regarding its cybersecurity tools that may have been compromised, and their potential relation to known security vulnerabilities.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our solutions. The company is a recognized leader in health technology cybersecurity. As part of the global Philips Product Security Policy, the company conducts extensive, ongoing analysis of our solutions, often in collaboration with customers, researchers, and government agencies.

Amnesia33 TCP/IP Stack Vulnerabilities Advisory (9 December 2020)

Publication Date: 2020 December 9 

Update Date:  2021 January 21

 

Philips is currently monitoring developments and updates related to the recently published U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) advisory (ICSA-20-343-01) concerning 33 reported vulnerabilities found in multiple open-source software TCP/IP stacks, referred to as “Amnesia33”.

 

According to CISA, successful exploitation of these vulnerabilities could allow attackers to corrupt memory, put devices into infinite loops, access unauthorized data, and/or poison DNS cache.

 

As part of the Philips product security policy and protocols, Philips’ teams are evaluating the affected TCP/IP third-party products listed in the CISA advisory, and their potential relation to known security issues, to determine if remediation for Philips products may be required. The TCP/IP suppliers of these third-party products have provided mitigations in the CISA advisory.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our solutions. The company is a recognized leader in health technology cybersecurity. As part of the global Philips Product Security Policy, the company conducts extensive, ongoing analysis of our solutions, often in collaboration with customers, researchers, and government agencies.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update A: 2021 January 21

To date, Philips’s review has not identified products affected by the Amnesia33 software vulnerabilities. Our review and analysis is ongoing.


End Update A

Oracle WebLogic CVE-2020-14750 Advisory (3 November 2020)

Publication Date: 3 November 2020 

Update Date: 5 November 2020

Philips is currently monitoring developments and updates related to the Oracle WebLogic Server Advisory (CVE-2020-14750). The advisory highlighted a critical remote code execution (RCE) vulnerability impacting multiple Oracle WebLogic Server versions and is related to CVE-2020-14882.


As reported by Oracle, unauthenticated attackers can remotely exploit this no-auth RCE flaw in the server’s console component via HTTP, without user interaction, as part of low complexity attacks to potentially take over targeted servers. Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.


As part of product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Oracle WebLogic Server for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Oracle released a critical patch update in October 2020 for CVE-2020-14882. Oracle is addressing the most recent vulnerability CVE-2020-14750 by release of an emergency patch on November 1. Philips is currently in the process of evaluating the Oracle patch and vendor recommended mitigation options. According to Oracle, the vulnerability is remotely exploitable without authentication over a network without the need for a username and password.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. As the advisory posted is updated by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.


Begin Update A: 5 November 2020 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Tasy EMR v12.2.1.3*


*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

 

End Update A

Joint CISA/FBI/HHS Advisory regarding Ryuk ransomware attacks on healthcare organizations (29 October 2020)

Publication Date: 29 October 2020 

Update Date: 29 October 2020

 

Philips is currently monitoring developments and updates related to the recent joint cybersecurity advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), which is related to recent ransomware attacks on healthcare organizations.

 

The advisory highlighted Ryuk ransomware campaign's threat, which exploits the Microsoft Netlogon vulnerability (CVE-2020-1472). The Microsoft netlogon vulnerability is an escalation of privilege vulnerability. As reported by Microsoft, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

 

As part of product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Microsoft is addressing the vulnerability in a phased two-part rollout, the first part Microsoft released a patch in August, with the second part projected for early next year. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, to exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. As the Zerologon advisory posted on www.philips.com/productsecurity is updated by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Microsoft Bad Neighbor Advisory (13 October)

Publication Date: 13 October 2020 

Update Date: 13 October 2020

 

Philips is currently monitoring developments and updates related to the Microsoft security advisory issued on 13 October 2020. The advisory highlighted a remote code execution vulnerability that affects multiple versions of the Windows 10 and Windows Server operating systems. This vulnerability, also referred to as “Bad Neighbor”, resides in the way Windows handles ICMPv6 Router Advertisement packets, and could allow a remote attacker to execute code on an affected system.

 

As part of product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Microsoft provided a security update. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, to exploit the vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. As the advisory is updated by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Microsoft Zerologon CVE-2020-1472 Advisory (29 September 2020)

Publication Date: 14 September 2020 

Update Date: 29 October 2020 

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning escalation of privilege vulnerability (CVE-2020-1472) in Microsoft’s Netlogon. As reported by Microsoft, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, to exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update B: 29 October 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1472. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

Clinical Collaboration Platform officially registered as Vue PACS****
Illumeo 2.0**
IntelliSpace ECG Management System B.00 (IECG)*
Intellispace PACS (4.4, 5.5x)***
IntelliSpace Discovery 2.0**
IntelliSpace Portal Server (9.0, 10.0)**
UDM (1.1, 2.2)
XIRIS (8.2, 8.3)

*Software only products with customer owned Operating Systems.

**Information or patch available in Incenter.

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure.

**** Only those installs with Veritas Cluster Manager Software installed.

 

Note: 
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
 

Philips is continuing to assess the Microsoft patch for Philips’ products and services that use remote desktop services. Philips will use Incenter as the communication mechanism for necessary mitigation or remediation.

 

End Update B

 

Begin Update A: 5 October 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1472. However, the list below is not comprehensive and may be

Clinical Collaboration Platform officially registered as Vue PACS****
Illumeo 2.0**
IntelliSpace ECG Management System B.00 (IECG)*
Intellispace PACS (4.4, 5.5x)***
IntelliSpace Discovery 2.0**
IntelliSpace Portal Server (9.0, 10.0)**
UDM (1.1, 2.2)
XIRIS (8.2, 8.3)

updated as necessary if more products are identified.

 

*Software only products with customer owned Operating Systems.

**Information or patch available in Incenter.

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure.

**** Only those installs with Veritas Cluster Manager Software installed.

 

End Update A

Philips Clinical Collaboration Platform, offically registered as Vue PACS (17 September 2020)

Publication Date: September 17, 2020

Update Date: September 17, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS).

 

Philips confirmed 5 vulnerabilities in a range of low- to medium-severity (CVSS 3.4-6.8) associated with the Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS), affecting versions 12.2.1 and prior. These include potential exploits relating to input and data validation verification, resource allocation limitation, and access configuration, among others.

 

This potential issue requires a high skill level to exploit, and there are currently no known public exploits available. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Successful exploitation of these issues could allow an attacker to lead a user into executing potentially unauthorized actions or provides the attacker with identifying information that could be used for subsequent attacks.
 

Philips released a patch in June 2020, for Clinical Collaboration Platform Portal (officially registered as Vue PACS) version 12.2.1.5 to correct some of these issues, and a new release of the product was released in May 2020. One issue requires manual intervention and affected customers are advised to contact Philips support.

 

Users with questions regarding their specific Philips Clinical Collaboration Platform installation and new release eligibility should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location: 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions  or call 1-877-328-2808 option 4.   

 

Publication on CISA website: https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01

Philips Patient Monitoring (10 September 2020)

Publication Date: September 10, 2020

Update Date: November 18, 2021

 

Philips is a committed leader in medical device cybersecurity. Guided by our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.    


In accordance with Philips’ Coordinated Vulnerability Disclosure Policy covering the disclosure and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding certain types and versions of the Philips IntelliVue Patient Monitor system, the Patient Information Center iX (PIC iX) software, and PerformanceBridge Focal Point.

 

Philips has become aware of potential low-to-moderate-severity vulnerabilities in affected products. These potential issues require a low skill level to exploit. To successfully exploit these vulnerabilities an attacker would need to gain either (1) physical access to surveillance stations and patient monitors or (2) access to the medical device network. These vulnerabilities, if exploited, could result in unauthorized access, interrupted monitoring, and collection of access information and/or patient data.


There are no known public exploits available for these issues. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.

 

Philips plans to release a series of updates for affected products beginning in 2020. Philips has reported the potential issues and their mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.


Users with questions regarding their specific Philips IntelliVue monitor, PIC iX and PerformanceBridge Focal Point installations should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions  

 


ADDENDUM: Affected Product List
 

  • Patient Information Center iX (PICiX) version B.02, C.02, C.03
  • PerformanceBridge Focal Point version A.01
  • IntelliVue patient monitors MX100, MX400-MX850 and MP2-MP90 version N and prior
  • IntelliVue X3 and X2 version N and prior

 

Philips plans a series of new releases to remediate all reported vulnerabilities: 

 

  • Patient Information Center iX (PIC iX) version C.03 by end of 2020
  • PerformanceBridge Focal Point by Q4 of 2021
  • IntelliVue patient monitors version N.00 and N.01 in Q1 of 2021
  • IntelliVue Patient Monitors Version M.04: Contact a Philips service support team for an upgrade path
  • Certificate revocation within the system will be implemented in 2023

 

Cybersecurity & Infrastructure Security Agency (CISA) advisory: https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

Philips SureSigns VS4 patient monitoring system (20 August 2020)

Publication Date: August 20, 2020

Update Date: August 20, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities. 

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips SureSigns VS4 patient monitoring system.

 

Philips has become aware of low- to medium-severity vulnerabilities (CVSS scores 2.1, 4.9 and 6.3) regarding improper input validation, inadequate encryption strength, and improper access control, associated with the Philips SureSigns VS4 system, affecting versions A.07.107 and prior.

 

There are currently no known public exploits available for the reported vulnerabilities. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue

 

Successful exploitation may allow an unauthorized user access to administrative controls and system configurations which could allow changes to system configuration items, causing patient data to be sent to a remote destination. This potential vulnerability does not impact patient safety.

 

To mitigate these potential vulnerabilities, Philips recommends that customers change all system passwords on their devices with unique passwords for each device, and to physically secure the device when not in use. Customers are also advised to consider replacing the Philips SureSigns VS4 devices with a newer technology.

 

Users with questions regarding their specific Philips SureSigns VS4 installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

Cybersecurity & Infrastructure Security Agency (CISA) advisory:
Philips DreamMapper (30 July 2020)

Publication Date: July 30, 2020

Update Date: July 30, 2020

 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.  

 

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips DreamMapper software.

 

Philips has become aware of a potential medium-severity vulnerability regarding access to log file information associated with the Philips DreamMapper software, affecting only Versions 2.24.x and prior.

 

This potential issue requires a low skill level to exploit. To date, Philips has not received any reports of exploitation of this vulnerability or of incidents from clinical use that we have been able to associate with this issue.

 

Successful exploitation may allow an unauthorized user attacker access to the log file information containing descriptive error messages. This potential vulnerability does not impact patient safety. The Philips DreamMapper software is a personalized therapy adherence tool for sleep apnea patients, and is not a clinical application – it does not directly provide therapy or diagnosis to patients.

 

Philips plans a new release for DreamMapper by June 30, 2021 that remediates the security vulnerability identified. Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips DreamMapper installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:  https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

https://us-cert.cisa.gov/ics/advisories/icsma-20-212-01    

Boothole GRUB2 Advisory (29 July 2020)

Publication Date: July 29, 2020

Update Date: August 19, 2020

 

Philips is aware of and currently monitoring a third-party vulnerability that impacts GRUB2 bootloader, a component that controls which operating system is booted on a system. This third-party vulnerability was recently discovered by a security vendor and is not specific to Philips or our products.
 

The identified third-party vulnerability, designated CVE-2020-10713, also referred to as “Boot Hole,” is a buffer overflow vulnerability that exists in the way GRUB2 parses the grub.cfg configuration file. This vulnerability impacts all versions of GRUB and systems using Secure Boot with the standard Microsoft UEFI Certificate Authority. If successfully exploited, an unauthorized user could potentially bypass the Secure Boot signature verification and execute arbitrary code during the boot process. To exploit this vulnerability, a threat actor would need physical access to the system and user privileges to execute this attack.


Following analysis by Philips, the company has determined that no Philips products contain the GRUB2 bootloader component, and are therefore not affected by this third-party vulnerability.

Microsoft SIGRED RCE DNS advisory (15 July 2020)

Publication Date: July 15, 2020 

Update Date: July 31, 2020

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported remote code execution (RCE) vulnerability (CVE-2020-1350) in Windows DNS Server. As reported by Microsoft, a remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. Windows servers that are configured as DNS servers are at risk from this vulnerability.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released a patch to help remediate this vulnerability. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, an attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account which could allow an attacker to take control of an affected system.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update A: July 28, 2020

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Analytics 1.1

         Ultrasound CX version 5.0.3, release expected Q4 2020

         Ultrasound Sparq version 3.0.3, release expectedQ4 2020


Clinical Collaboration Platform (formally VuePACS) ***
IntelliSpace PACS 4.4, 4.4.55x ***
PIC iX B.0x and C.0x Physiological Server only when DNS enabled *****

Intellibridge Enterprise (IBE)

versions B.06-.12 *,**

UDM 2.1 and 1.1

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business validated and deploying the patch to the managed infrastructure

****Patch is tested and can be installed via the windows update mechanism

*****Mitigation tested and applicable, see steps below:

 

The PIC iX Physiological Server may be configured as a DNS server as outlined in the Service and Installation Guide, however the DNS Server Role is not required for PIC iX and is not installed by default. Only those installations where the Physiological Sever is configured as the DNS server would be at risk to the RCE vulnerability. The Philips Medical Device network is required to be physically isolated or logically isolated from the Hospital LAN. We suggest that network firewalls and access control lists be reviewed to ensure limited access to DNS.

 

 

Philips has evaluated the Windows registry modification workaround provided by Microsoft. Philips has determined that the workaround will have no negative impact to the PIC iX system and the registry modification can be applied to the PIC iX Server configured as a DNS server. Philips strongly recommends removing the registry workaround after applying the security patch as instructed by Microsoft.

 

 

For more information on the mitigation please see link below:

 

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

 

Note: Please be aware that the "0x" prefix notation for hexadecimal value "FF00" (Decimal value 65280) represented in the Microsoft KB article should be excluded from data entry as its inclusion may have unintended results due to unpredictable handling of the "x" character.

 

End Update A

F5 Advisory (30 June 2020)

Publication Date: June 30, 2020 

Update Date: September 25, 2020 

 

Philips is currently monitoring developments and updates related to the recent F5 alert concerning the reported remote code execution (RCE) vulnerability (CVE-2020-5902) in undisclosed pages. The technical details as reported by F5, state that this vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete F5 system compromise. The F5 BIG-IP system in appliance mode is also vulnerable. This F5 issue is not exposed on the data plane; only the control plane is affected.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing F5 for potential impacts from these reported vulnerabilities and validating actions. F5 has released a patch to help remediate this vulnerability. Philips is currently in the process of validating the F5 patch and vendor recommended mitigation options. Once the F5 patch has been tested and validated by Philips with the impacted products, the patch will either be installed by Philips or made available for installation by customers, depending on contract details.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

When a product does require security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update B: September 25, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Clinical Collaboration Platform ***

(formally called Vue PACS)

IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***
Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***
VueBeyond

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure
 

End Update B

 

 

Begin Update A: August 28, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Clinical Collaboration Platform ***

(formally called Vue PACS)

IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***
Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

 

End Update A

Philips Ultrasound (24 June 2020)

Publication Date:  June 24, 2020

Update Date: June 24, 2020

 

Philips is a leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding specific versions of Philips ultrasound software applications.

Philips has become aware of a potential low-severity issue (CVSS v3 base score 3.6 – Low) where unauthorized personnel can bypass authentication via an alternate path or channel or via an alternate service login. This potential issue is only associated with Ultrasound ClearVue versions 3.2 and prior, Ultrasound CX versions 5.0.2 and prior, Ultrasound EPIQ and Affiniti versions VM5.0 and prior, Ultrasound Sparq version 3.0.2 and prior, and Ultrasound Xperius.

This potential issue requires local access to an affected system and a high skill level to exploit. If a successful exploitation occurs, the only result is that an unauthorized user may be able to enable and access ultrasound device features that were not included with system purchase. Philips’ analysis indicates that this is not a device safety issue, and there is no expectation of patient hazard. To date, Philips has not received reports of this vulnerability being exploited in clinical use.

 

To address this issue:

  1. Philips released Ultrasound EPIQ and Affiniti version VM6.0 in April 2020, which removed the affected functionality.
  2. Philips plans the following new releases to address this issue in the following software versions:
  • Ultrasound ClearVue version 3.3, release expected Q4 2020
  • Ultrasound CX version 5.0.3, release expected Q4 2020
  • Ultrasound Sparq version 3.0.3, release expectedQ4 2020


As an interim mitigation to this vulnerability, Philips recommends customers ensure service providers can guarantee installed device integrity during all service and repair operations.

 

Philips has reported this potential issue and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

Users with questions regarding their specific Philips ultrasound software installation should contact their local Philips service support team or regional service support. Philips contact information is available at:

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions


Please see the Philips product security web site for the latest security information for Philips products:   https://www.philips.com/productsecurity

         Ultrasound ClearVue version 3.3, release expected Q4 2020

         Ultrasound CX version 5.0.3, release expected Q4 2020

         Ultrasound Sparq version 3.0.3, release expectedQ4 2020


Ripple20 Advisory (18 June 2020)

Publication Date: June 18, 2020
Update Date: September 4, 2020

 

Security researchers at JSOF have disclosed 19 different zero-day vulnerabilities within Treck TCP/IP Stack.  The collection of vulnerabilities, which JSOF refers to as "Ripple20", could lead to remote code execution or exposure of sensitive information. Of the 19 flaws, 6 are rated a high severity using the industry standard calculator or common vulnerability scoring system (CVSS) v3. The exposure to these high severity issues greatly depends on the Treck products being used.

 

Philips is currently monitoring developments and updates related to the recent published advisory (ICSA-20-168-01) concerning the reported 19 common vulnerability enumerations (CVE) as referred to as Ripple20. In the advisory, Treck recommends users apply the latest version of Treck (TCP/IP 6.0.1.67 or later).

 

As part of the Philips product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions that may be utilizing Treck TCP/IP for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. Treck has released patches to help remediate these vulnerabilities.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Begin Update A: September 4, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Ripple. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

HeartStart Intrepid Monitor/Defibrillator (867172) **

(not sold in the US)

**Information or patch available in Incenter

 

End Update A

Philips IntelliBridge Enterprise (IBE) system (11 June 2020)

Publication Date: June 11, 2020

Update Date: July 1, 2020
 

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
  

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding the Philips IntelliBridge Enterprise (IBE) system.

 

Philips has become aware of a potential low-severity vulnerability regarding unencrypted user credentials stored in transaction logs associated with the Philips IntelliBridge Enterprise (IBE) software, affecting only Versions B.12 and prior, with the following workflows:

 

    •   Enterprise system integration with:  

            •    SureSigns(VS4)

            •    EarlyVue (VS30)

            •    IntelliVue Guardian (IGS) 

 

This potential issue requires a high skill level to exploit, and to date, Philips has not received reports of exploits of this vulnerability. Successful exploitation may allow an existing administrator and/or high privileged system user access to credentials to the hospital’s clinical information systems. The IntelliBridge Enterprise (IBE) provides HL7 interface interoperability between Philips products and hospital’s clinical information systems or electronic medical records by providing a single integration point to the enterprise. Philips IntelliBridge Enterprise has no clinical user interface, nor does it interpret, inspect, or provide additional analytical functionality for medical device data.

 

Philips plans a new release (IBE B.13) by end of Q4 2020 that remediates the potential issue by not logging the plain text user credentials in the log file. In the interim, Philips recommends that IBE transaction logs be made only accessible with administrative privileges. If necessary, an additional, limited-privilege account can be created on the IBE system for authorized users such as service engineers. Additionally, it is recommended to reduce log retention to a shorter timeframe.

 

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA, which is issuing an advisory.

 

Users with questions regarding their specific Philips IntelliBridge Enterprise (IBE) installation should contact their local Philips service support team, or regional service support. Philips contact information is available at the following location:

 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

 

US DHS CISA (Cybersecurity and Infrastructure Security Agency): https://www.us-cert.gov/ics/advisories/icsma-20-163-01

 

Philips Air Purifier AC2719 (24 March 2020)

Publication Date: March 24, 2020

Update Date: March 24, 2020
 

Overview

Philips produces and sells connected air purifier that provide healthy air to consumers. The connected air purifier can be controlled by an app, Philips has partnered with Air Matters, a world-leading air quality app. It monitors in- and outdoor air quality, offers insights, controls your Philips connected Air device, shows its filter status, and gives you advice how to manage exposure to air pollution and allergens. An independent security researcher submitted three vulnerabilities that can be mitigated regarding communications, key length and de-compilation of the mobile app.
 

Affected Products:

Philips reports that these vulnerabilities affect Air Matters Android version 4.2.9 and below.
 

Impact:

An attacker connected to an unprotected WiFi local network could compromise the encryption protocol to start and/or stop the air purifier.

An attacker connected to the WiFi local network can connect to the device. Subsequently the device can remotely be controlled. This impact is similar to downloading the Airmatters App and in a local network connect to the Airpurifier device. Which is standard behavior part of the functionality advertised to the customer.
 

Background

An independent security researcher reported the local network communication between the app and the Air Purifier has been reverse engineered. The three main vulnerabilities identified are 1) No use of https/tls encryption in the local network. 2) Diffie Hellman key length, and 3) de-compilation of Android mobile app. 4) through scripting from the local network a connection with the device can be setup.

These vulnerabilities do not impact confidentiality or integrity of data. The vulnerabilities could potentially impact availability.

Once notified, Philips analyzed the extent and started the containment and resolution actions.

The vulnerabilities are due to the use of a outdate chip version. This chip is not used in the production of new devices anymore. Newer versions of the device use a chip without these vulnerabilities.


Vulnerability Overview

CWE-319: Cleartext Transmission of Information

The software transmits data in cleartext in a communications channel that can be sniffed by unauthorized actors. Many communication channels can be sniffed by attackers during data transmission.

CVSS v3 base scores for this vulnerability is rated as 5.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-327: INSUFFICIENT DIFFIE HELLMAN STRENGTH

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of information.

CVSS v3 base scores for this vulnerability is rated as 4.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Through Scripting in the local network a connection with the device can be setup. Subsequently this connection can be used to control the device remote.
 

Existence of Exploit

Public exploits exist for some of these vulnerabilities, however, none are specifically targeted for Philips Air Purifier.
 

Difficulty

An attacker with medium to high skill in would be able to exploit these vulnerabilities
  

Mitigation

For the old infrastructure of Philips Air Purifiers products:

  • Philips has recommended customers of this current infrastructure to always utilize secure wireless connection by enabling the WiFi Protected Access (WPA2) for IEEE 802.11 technology
  • Only let persons that are trusted into the local network.
  • There will be no update for the old infrastructure.

The improved infrastructure of new launched Air Purifiers will not have these issues anymore as they have been solved. The new products have been introduced from mid 2019 onwards.

Philips recommends consumers to use the new devices with the new infrastructure.
 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

Underwriters Laboratories (UL) Product Cybersecurity Testing Certification (12 March 2020)

Publication Date: March 12, 2020
Update Date:  Feb March 12, 2020

 

Royal Philips (NYSE: PHG, AEX: PHIA), a global leader in health technology, today announced that the company was named the first medical device manufacturer to receive a new Underwriters Laboratories (UL) product cybersecurity testing certification. Underwriters Laboratories (UL) is an independent global safety certification and testing company with locations worldwide.

 

The UL IEC 62304 certification was designed by Underwriters Laboratories to provide an overall framework to evaluate the robustness and maturity of a medical device manufacturer’s cybersecurity controls and capabilities for product development. 

 

In support of the successful Philips firm registration for the security option of IEC 62304, UL performed a comprehensive audit of the Philips Security Center of Excellence. The Center was launched in 2015 to develop cyber-resilient products and services through security-by-design, risk assessment, vulnerability and penetration assessment, specialized trainings, and incident response.

 

The audit reviewed and verified core Philips Security Center of Excellence product security processes, including security risk management and risk control measures, software security verification planning, change management and continuous improvement, and the Center’s laboratory quality management system. 

 

The UL certification combines cybersecurity testing elements of the established UL 2900-2-1 standard for Software Cybersecurity for Network-Connectable Products, which focuses on the demanding requirements of healthcare and wellness systems, as well as security principles from international standards (ISO 13485 and ISO 14971).
 

The detailed press release can be found: http://www.newscenter.philips.com/us_en

Sweyn Tooth Bluetooth Low Energy Advisory (20 February 2020)

Publication Date: February 20, 2020 

Update Date: April 20, 2020

 

Philips is currently monitoring developments and updates related to the recent Bluetooth Low Energy (BLE) alert concerning the reported SweynTooth, a family of 12 vulnerabilities (CVE-2019-16336, CVE-2019-17519, CVE-2019-17517, CVE-2019-17518, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196, CVE-2019-17061, CVE-2019-17060, CVE-2019-19192, CVE-2019-19193, CVE-2019-19194 ).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Bluetooth Low Energy (BLE) for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

According to Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Seminconductor, successful exploitation of these vulnerabilities allows an attacker in radio range to trigger deadlocks, crashes, and buffer overflows or completely bypass security depending on the circumstances.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update A: April 20, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to SweynTooth. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Diamond Clean Smart connected power toothbrush (codes start with HX99)
Flexcare Platinum Connected power toothbrush (codes start with HX91)
Saeco Gran Baristo Avanti – Espresso Machine Models
Diamond Clean 9000 connected power toothbrush (codes start with HX99)
Philips Connected Shaver 7000 (S77xx & S79xx)
Expert Clean power connected toothbrush (HX96)
Sonicare - Kids connected power toothbrush (codes start with HX63)
End Update A
Microsoft CyptoAPI/NSACrypt/Curve Ball Advisory (16 January 2020)

Publication Date: January 16, 2020
Update Date:  February 4, 2020
 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Curve Ball or NSA Crypt or CryptoAPI spoofing vulnerability (CVE-2020-0601).

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
 

Begin Update B: February 4, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR)
Forcare Suite*
IntelliSpace Portal Workstation*
CareEvent*
Holter Recorder DigiTrak XT (CTXT)*
IntelliVue Guardian Software
CompuRecord G.01*
Illumeo 2.0*
IntraSight
Diagnostics Site Server (DSS)
Ingenia (Upgrade to R5 & Factory R5)
MobileDiagnost wDR
DigitalDiagnost C90
Intellibridge Enterprise (IBE)*
Multiva/Prodiva
DoseWise Portal
IntelliSpace Cardiovascular (ISCV)*
PIC iX*
EchoNavigator
IntelliSpace Console Critical Care (ISCCC)
ST80i A.02
eICU eCare Manager
IntelliSphere Critical Care and Anesthesia (ICCA)*,**
VSS Dashboard*
FocalPoint A.0/A.01*
IntelliSpace ECG Management System B.00 (IECG)
Xper IM*

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

End Update B

Begin Update A: January 21, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0601. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (Upgrade R1, R2, R3 to R5), R5, 3.0T, 3.0T (TX), and XR)
Corsuim
Diagnostics Site Server (DSS)
DigitalDiagnost C90
EchoNavigator
Holter Recorder DigiTrak XT (CTXT)
Illumeo 2.0
Ingenia (upgrade to R5 and Factory R5)
IntelliSpace Connect
IntelliSpace Discovery 2.0
IntelliSpace ECG Management System B.00 (IECG)
IntelliSpace Portal SErver
IntelliSpace Portal Workstation
MobileDiagnost wDR
Multiva/Prodiva
ST80i A.02
**Information or patch available in Incenter

End Update A

Microsoft Critical Vulnerability Advisory (15 January 2020)

Publication Date: January 15, 2020 

Update Date: April 20, 2010

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning the reported Windows RD Gateway and Windows Remote Desktop Client vulnerabilities (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products.

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. According to Microsoft, successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update C: April 20, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Epiq
Multiva
Affiniti
FlexCardio
Multiva/Prodiva
Allura (Centron, Clarity, Xper)
FocalPoint A.0/A.01
PIC iX*
Azurion
Holter Recorder DigiTrak XT (DTXT)*
PIIC Classic
CareEvent*
Illumeo 2.0
Prograde
ClearVue
Ingenia (upgrade to R5 & Factory R5)
ProxiDiagnost N90
CombiDiagnost R90
Intelibridge Enterprise (IBE)*
Sparq
CompuRecord (F.02, G.00, G.01)*
IntelliSpace Breast
SPhAERA (3.x & 4.x)
Core M2
IntelliSpace Cardiovascular (ISCV)*
ST80i A.02*
Coronary Tools
IntelliSpace Console Critical Care (ISCCC)
SyncVision
CX50/30
IntelliSpace Discovery 2.0
UDM
Diagnostics Site Server (DSS)
IntelliSpace ECG Management System B.00 (IECG)*
ViewForum
DigitalDiagnost (C50, C90, Opta C50)
IntelliSpace Perinatal (ISP)*
Volcano Core Imaging System
DoseWise Portal*
IntelliSpace Portal (Server & Workstation)
Volcano Core Mobile Imaging System
DR Compact
IntelliVue Guardian Software*
VSS Dashboard*
DuraDiagnost (Compact and F30)
ISP Anywhere
Xcelera 4.1*
EasyDiagnost
ISP VL Caputre 1.1 Visible Light
XIRIS 8.3
EchoNavigator
Juno DRF (5.7)
Xper IM*
eICU Care Manager
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
XtraVision
EP Navigator
MobileDiagnost (M50, Opta, and wDR)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

 

End Update C

 

Begin Update B: February 4, 2020

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Epiq
Multiva
Affiniti
FlexCardio
Multiva/Prodiva
Allura (Centron, Clarity, Xper)
FocalPoint A.0/A.01
PIC iX*
Azurion
Holter Recorder DigiTrak XT (DTXT)*
PIIC Classic
CareEvent*
Illumeo 2.0
Prograde
ClearVue
Ingenia (upgrade to R5 & Factory R5)
ProxiDiagnost N90
CombiDiagnost R90
Intelibridge Enterprise (IBE)*
Sparq
CompuRecord (F.02, G.00, G.01)*
IntelliSpace Breast
SPhAERA (3.0 to 3.5, 3.6 & greater)
Core M2
IntelliSpace Cardiovascular (ISCV)*
ST80i A.02*
Coronary Tools
IntelliSpace Console Critical Care (ISCCC)
SyncVision
CX50/30
IntelliSpace Discovery 2.0
UDM
Diagnostics Site Server (DSS)
IntelliSpace ECG Management System B.00 (IECG)*
ViewForum
DigitalDiagnost (C50, C90, Opta C50)
IntelliSpace Perinatal (ISP)*
Volcano Core Imaging System
DoseWise Portal*
IntelliSpace Portal (Server & Workstation)
Volcano Core Mobile Imaging System
DR Compact
IntelliVue Guardian Software*
VSS Dashboard*
DuraDiagnost (Compact and F30)
ISP Anywhere
Xcelera 4.1*
EasyDiagnost
ISP VL Caputre 1.1 Visible Light
XIRIS 8.3
EchoNavigator
Juno DRF (5.7)
Xper IM*
eICU Care Manager
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
XtraVision
EP Navigator
MobileDiagnost (M50, Opta, and wDR)

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

End Update B


Begin Update A: January 21, 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Access CT (6 & 16 Slice)
Achieva (R1, R2, R3 to R5, R5, 3.0T, 3.0TX, and XR)
Brilliance (Big Bore Radiology, CT 64, CT Big Bore, iCT, iCT SP)
CombiDiagnost R90
Corsium
CT MX16 EV02
Diagnostics Site Server (DSS)
DigitalDiagnost (C50, C90, Opta C50)
DR Compact
DuraDiagnost (Compact and F30)
EasyDiagnost
Holter Recorder DigiTrak XT (DTXT)
Ingenia (upgrade to R5 & Factory R5)
Ingenuity (Core, Core 128, Core128/Elite China, CT, CT Brazil, TF PET/CT, TF PET/CT RoHS systems)
IntelliSpace Breast
IntelliSpace Connect Release 1.0
IntelliSpace ECG Management System B.00 (IECG)
IQon Spectral CT
Juno DRF
MicroDose (S0 (Balder), S1 (L50), S1 U (L50 U))
MobileDiagnost (M50, Opta and wDR)
Multiva
Multiva/Prodiva
Prograde
ProxiDiagnost N90
SPhAERA (3.x & 4.x)
ST80i A.02
Vereos

**Information or patch available in Incenter


End Update A

Microsoft Win7 and WinServer2008 R2 End-of-Support (14 January 2020)

Publication Date: January 14, 2020

Update Date: January 14, 2020

 

Philips is aware that Microsoft is ending Extended Support for the Windows 7 and Windows Server 2008 R2 operating systems on January 14, 2020.

 

As part of Philips product lifecycle management processes, product security policy, and associated protocols, and in anticipation of the expiration of Microsoft’s Extended Support period for Windows 7 and Windows Server 2008 R2, Philips has been evaluating Philips products and solutions that utilize these operating systems.

 

Philips is currently working to provide information regarding expiration of Microsoft extended support for Windows 7 and Windows Server 2008 as related to Philips products and solutions together with guidance to attain any further required product-specific information in support of any Philips products or solutions that use these Microsoft operating systems.

 

Philips products and solutions must be deployed and operated within Philips-approved product specifications as noted in their Instructions for Use.  Also, as required by government regulations in the markets we operate in, all changes of configuration or software to Philips’ products or solutions (including operating system security updates and patches) may be implemented only by following Philips product-specific, verified and validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers and service representatives may access product-specific service documentation produced by
Philips product teams and made available to Philips product service support and/or service delivery platforms

such as Philips InCenter (https://incenter.medical.philips.com).  Entitled customers are encouraged to request Philips InCenter access and reference product-specific information when posted.  Customers are also encouraged to contact their local service support team or regional product service support for information specific to their Philips’ products or environments.

 

Philips is providing the list below in order to assist our customers in identifying Philips’ products and solutions running on Microsoft Windows 7 or Windows Server 2008 R2.  However, the list below is not exhaustive for all affected Philips products, and it includes:

 

  • products that have reached Philips end-of-life or end-of-support (****),
  • software-only products that may also be compatible with other OS versions or that may enable customers with options or roadmap plans to upgrade the customer owned OS and/or affected Philips product (*),
  • products with a currently available upgrade path to a fully supported Philips solution,
  • products aligned with 2020 roadmap plans to enable an upgrade path to a fully supported Philips solution,
  • products with other Philips recommended risk mitigation or remediation steps
Access CT 6/16 – 2.x
Brilliance Big Bore / 4.2
Brilliance iCT/4.x, iCT SP/4.x, 64/4.x
CareEvent *
CompuRecord *
Core Imaging S5 3.5, M2 4.2,
Diagnostic Site Server (DSS)
DynaCAD Breast and Prostate
DynaSuite Neuro 3
eCareManager *
eICU *
G3 Alice6 *
HCIS RIS 2010 10.x Clients
HCIS Vue PACS 11.3, Vue PACS 11.4 *
HCIS Vue RIS 11.0.12.x,
HeartStart Configure 3.1 *
HeartStart Data Messenger 4.3.1 *
HeartStart Event Review
3.x, 4.x *,****
HeartStart Event Review Pro 5.0 *
IBE *
IEM v11.0x *
Incisive CT/1.0
Ingenuity CT / 4.x, Core, Core 128
Ingenuity TF/4.0.x
IntelliSpace Critical Care and Anesthesia (ICCA) *
IntelliSpace ECG Management System B.00 (IECG) *
IntelliSpace ECG Management System B.00 (IECG) *
IntelliSpace PACS 4.4
IntelliSpace Perinatal *
IntelliVue Guardian Software *
ISCV 1.x, 2.x, 3.x, 4.x *
ISP Anywhere 1.3
ISP6/7/8
Mobile 3.5
MX 16/2.x
Oncad
PIIC iX, PIIC Classic *
Respironics Actiware *
SensaVue HD and fMRI
Sleepware G3 *
SPhAERA (3.0 to 3.5) ****
ST80i A.02 *
Syncvision 4.2
Tempus ReachBak i2i *
UDM 1.1, 2.1
Vereos/2.0.x
Viewforum for Fixed Systems  V6.3V1L9
Viewforum for Mobile Systems V6.3V1L7, V6.3V1L8
Vue RIS 11.0.14.x
Xcelera 4.1 *
XIRIS 8.3
Xper Flex Cardio
Xper IM 1.5, 2.x *

Information available from Philips InCenter, local service support, or regional product service support.

 

* Software only products with customer owned Operating Systems

**** End of Life (EoL)

 

If customers still have questions, all customers are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products or solutions.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.