Please find our Security Advisories here

Security Advisory Archives (2021)

Microsoft December Critical Updates (2021 December 14)

Publication Date: 2021 December 14

Update Date: 2021 December 14

Philips is currently monitoring developments and updates related to the recently released Microsoft’s December 2021 Security Update Summary. Microsoft has released 67 updates to address multiple vulnerabilities in Microsoft software. Of the 67 updates, 7 have a CVSS score of critical. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Some of the most severe vulnerabilities resolved in this update are listed below, although only one is known to be actively exploited in the wild:

CVE-2021-43890: This Windows AppX Installer Spoofing zero-day vulnerability, issued a CVSS severity score of 7.1 and rated important, is publicly known and under exploitation. Microsoft says that it is "aware of attacks that attempt to exploit this vulnerability by using specially crafted packages" and that the bug is being weaponized to spread the Emotet/Trickbot/Bazaloader malware families.
CVE-2021-41333: Issued a CVSS score of 7.8, this Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity.
CVE-2021-43880: This security flaw is described as a Windows Mobile Device Management Elevation of Privilege ((EoP) vulnerability that allows local attackers to delete targeted files on a system.
CVE-2021-43893: James Forshaw of Google Project Zero reported this issue (CVSS 7.5), which is described by Microsoft as an EoP in the Windows Encrypting File System (EFS).
CVE-2021-43240: Issued a CVSS score of 7.8, Microsoft says this flaw, an NTFS Set Short Name elevation of privilege bug, has proof-of-concept exploit code available and is known publicly. ·
CVE-2021-43883: The final zero-day flaw impacts Windows Installer. This issue, assigned a CVSS score of 7.8, can permit unauthorized privilege escalation.

According to Microsoft, the following CVEs have FAQs, Mitigations, or Workarounds. You can see these in more detail from the Vulnerabilities tab by selecting FAQs, Mitigations and Workarounds columns in the Edit Columns panel.

CVE-2021-40452
CVE-2021-40453
CVE-2021-41360
CVE-2021-41365
CVE-2021-42293
CVE-2021-42294
CVE-2021-42295
CVE-2021-42309
CVE-2021-42310
CVE-2021-42311
CVE-2021-42312
CVE-2021-42313
CVE-2021-42314
CVE-2021-42315
CVE-2021-42320
CVE-2021-43214
CVE-2021-43215
CVE-2021-43216
CVE-2021-43217
CVE-2021-43222
CVE-2021-43224
CVE-2021-43227
CVE-2021-43235
CVE-2021-43236
CVE-2021-43243
CVE-2021-43244
CVE-2021-43255
CVE-2021-43256
CVE-2021-43875
CVE-2021-43880
CVE-2021-43882
CVE-2021-43888
CVE-2021-43889
CVE-2021-43899
CVE-2021-43905

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Apache Log4J Advisory (2021 December 13)

Publication Date: 2021 December 13

Update Date: 2022 March 9

Philips is currently monitoring developments and updates related to the recently released Apache advisory. Apache has confirmed that a critical Remote Code Execution vulnerability (CVE-2021-44228) exists in their Log4j utility. Log4j is an open source, java-based logging utility.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s Log4j utility for potential impacts from this reported vulnerability and validating actions.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. https://incenter.medical.philips.com

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-44228. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

HealthSuite Marketplace (1.2) ⁵	Protocol Analytics (1.1) ^2,3	Vue PACS – Vue Motion (12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5
HSoP Platform On-Premise (hosting Pinnacle 18.x application)	RIS Clinic (10.1.10 – 10.1.20 New GUI)(21.0.0-21.0.3) ³	Vue PACS – MyVue (12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5
IntelliBridge Enterprise (B.13-B.15) ^1,3	Scanner Protocol Manager (1.1) ²	Vue PACS – Vue Explorer (12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5
IntelliSite Pathology Solution 5.1 (L1)	Tasy EMR ¹	Vue PACS – Web System Configuration (12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5
IntelliSpace Enterprise (v11 & above) ^2,3	Universal Data Manager (UDM)(1.x,2.1-2.2, 3.1) ⁴	Vue PACS – Speech Server (12.2.5.0) ^3,5
IntelliSpace Portal Server/workstation (v9 & above)^2,3	vSphere Compute Environment ⁵	Vue PACS – Report Analytics (Including ElasticSearch Server) (12.2.0.0, 12.2.1.0, 12.2.8.0) ^3,5
IntelliSpace Precision Medicine^1,3	XIRIS (8.2,8.3) ⁵	Vue PACS – Event Analytics (Including ElasticSearch Server) (12.2.5.0, 12.2.8.0)^3,5
Pathology De-identifier 1.0 (L1)	Radiology WorkSpace (RWS)(4.1) ³	Vue PACS – Oracle SQL Developer ^3,5
Performance Bridge (2.0 with Practice ) ^{2, 3}	Vue PACS - Unified Backend (WFM)(12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5	Vue PACS – Oracle TFA (12.2.5.0 – 12.2.5.300, 12.2.8.0) ^3,5
Performance Bridge (3.0 with or without Practice) ^2,3	Vue PACS – LTSM (12.2.5.0-12.2.5.300, 12.2.8.0) ^3,5

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned Operating Systems. For products solutions where the server was provided it is customer responsibility to validate and deploy patches.

² Software only products with customer owned Operating Systems. For products solutions where the server was provided by Philips, it will be Philips responsibility to validate and provide patches.

³ Information or patch available in Incenter. Please contact your local service support team.

⁴ Philips hosting environment is evaluating the VMware provided workaround and in the process of deploying for managed service customers.

⁵ Philips hosting environment has deployed a patch.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Apache Advisory CVE-2021-40438 (2021 December 10)

Publication Date: 2021 December 10

Update Date: 2021 December 13

Philips is currently monitoring developments and updates related to recently released reports that confirm an active exploitation of a previously fixed server-side request forgery vulnerability (CVE-2021-40438) in Apache’s HTTP Server. The vulnerability impacts HTTP Server versions 2.4.48 and earlier. Apache had released a new version (2.4.49) to fix this vulnerability back in September 2021.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s vulnerable products for potential impacts from this reported vulnerability and validating actions.

Begin Update A: 2021 December 13

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-40438. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

Pinnacle 18.x

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

Philips IntelliBridge EC40 and EC80 (2021 November 18)

Publication Date: 2021 November 18

Update Date: 2022 January 27

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a potential issue related to certain versions of Philips IntelliBridge EC40 and EC80 systems (C.00.04 and prior).

Philips has identified that the affected software contains hard-coded credentials and authentication bypass using an alternate path or channel.

Philips’ analysis has shown that these issues require a low skill level to exploit. Successful exploitation of these issues may allow an attacker unauthorized access to the Philips IntelliBridge EC40/80 hub and may allow access to execute software, modify device configuration, or view/update files, including unidentifiable patient data. The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network (LAN).

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with these issues. It is unlikely that this potential vulnerability would impact clinical use, as the Philips IntelliBridge EC40/80 hub is not intended for use in connection with active patient monitoring.

Philips released software updates in Q4 2021 which is referenced in FCO86201952A, and has controlling mitigations on the affected software to limit the risk and exploitability of this potential vulnerability.

Philips has reported the potential vulnerabilities and their mitigations to the public and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific the Philips IntelliBridge EC40/80 solutions are advised by Philips to contact their local Philips service support team.

ICSMA-21-322-01 Philips IntelliBridge EC40-80: https://us-cert.cisa.gov/ics/advisories/icsma-21-322-01

Philips Patient Information Center iX (PIC iX) and Efficia CM Series (2021 November 18)

Publication Date: 2021 November 18

Update Date: 2023 June 9

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a potential issue related to certain versions of Philips Patient Information Center iX (PIC iX) and Efficia CM Series software.

Philips has identified vulnerabilities in the affected software including:

Improper input validation (CWE-20), affecting Patient Information Center iX (PIC iX) versions C.02, C.03
Use of a hard-coded cryptographic key (CWE-321), affecting Patient Information Center iX (PIC iX) versions B.02, C.02, C.03
Insecure cryptographic algorithm (CWE-327), affecting Patient Information Center iX (PICiX) version C.0x and Effica CM Series revisions A.01 to C.0x.

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with these issues. At this time there are no known public exploits that specifically target these vulnerabilities.

Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices.

Philips released a remediation for CWE-20 in Q3 2021 in PIC iX C.03.06. Philips released a remediation for CWE-321 & CWE-327 in Q2 of 2023 in PIC iX 4.1. Users should operate all Philips deployed and supported products within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.

As an interim mitigation, Philips recommends the following which are outlined in the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter:

Philips-provided hardware ships with Bitlocker Drive Encryption enabled by default to protect the data at rest stored on the system. It should not be disabled.
Philips recommends that customers follow NIST SP 800-88 for media sanitization prior to system disposal.
By default, patient information is not included in archives. When exporting archives that contain patient information, customers should store securely with strong access controls.
The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Users with questions regarding their specific the Philips Patient Information Center iX (PIC iX) and Efficia CM Series solutions are advised by Philips to contact their local Philips service support team.

ICSMA-21-322-02 Philips Patient Information Center iX (PIC iX) and Efficia CM Series: https://us-cert.cisa.gov/ics/advisories/icsma-21-322-02

Siemens NUCLEUS:13 Advisory (2021 November 10)

Publication Date: 2021 November 10

Update Date: 2021 November 10

Philips is currently monitoring developments and updates related to the recently published Cybersecurity and Infrastructure Security Agency (CISA) advisory (ICSA-21-313-03) concerning 13 reported vulnerabilities and referred to as NUCLEUS:13. These vulnerabilities are found in the TCP/IP stack and related services (FTP, TFTP) of the networking component (Nucleus NET) in the Nucleus Real-Time Operating Systems (RTOS). According to CISA, Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow an information leakage, or remote code execution.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Siemens’s vulnerable products for potential impacts from these reported vulnerabilities and validating actions.

When a product does require security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips MRI 1.5 and 3T release 5 (2021 November 9)

Publication Date: 2021 November 9

Update Date: 2021 November 15

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities. In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips MRI 1.5T version 5.x.x, and Philips MRI 3T version 5.x.x.

The company has identified three potential vulnerabilities for affected MRI software solutions, comprising improper access control, incorrect ownership assignment for resources, and potential exposure of sensitive information to unauthorized actors. To successfully exploit these vulnerabilities, physical access and valid login credentials are required. The exploitation may allow an attacker access to execute software, modify system configuration, or view/update files, and export data including patient data to an untrusted environment. These vulnerabilities are not exploitable via the network.

At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem.

Philips will release a software upgrade that will correct these issues for affected software in Q3 2022. As an interim mitigation to this vulnerability, Philips recommends the following: Users should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips Instructions for Use (IFU) available on InCenter.

Philips has reported this potential vulnerability and its resolution publicly and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Philips MRI 1.5T and Philips MRI 3T systems are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Publication on Cybersecurity & Infrastructure Security Agency (CISA) website: https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01

Philips Tasy EMR HTML5 (2021 November 4)

Publication Date: 2021 November 4

Update Date: 2021 November 4

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips TASY Electronic Medical Record (EMR) HTML5 system, Versions 3.06.1803 and prior. Affected customers are advised to upgrade to Philips TASY EMR HTML5 Versions 3.06.1804 or later with latest service pack available, which are not subject to the reported vulnerabilities.

Regarding the Philips TASY EMR HTML5 system versions 3.06.1803 and prior, the company has identified two potential vulnerabilities that may allow SQL injection under certain conditions. Should this occur, a successful SQL injection attack can result in confidential patient data being exposed or extracted from the TASY database. Attackers could gain unauthorized access to Tasy EMR systems or accounts and, ultimately may lead to a Denial of Service to the database.

At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem. Philips’ analysis has shown that it is unlikely that this vulnerability would impact clinical use. Philips’ analysis also indicates there is no expectation of patient hazard due to this issue.

Philips has reported this potential vulnerability and its resolution publicly and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Philips TASY EMR system are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location:
https://www.philips.com.br/healthcare/resources/landing/solucao-tasy#_form

Cybersecurity & Infrastructure Security Agency (CISA)
Advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-308-01

Cisco Advisory CVE-2021-34783 (2021 November 3)

Publication Date: 2021 November 2

Update Date: 2021 November 2

Philips is currently monitoring developments and updates related to the recently released Cisco advisory. Cisco has confirmed that a vulnerability (CVE-2021-34783) exists in their Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software which could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. Cisco has released software updates that help remediate this vulnerability.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Cisco’s vulnerable products for potential impacts from these reported vulnerabilities and validating actions.

Apache Advisory CVE-2021-41773. CVE-2021-42013 and CVE-2021-41524 (2021 October 8)

Publication Date: 2021 October 8

Update Date: 2021 October 8

Philips is currently monitoring developments and updates related to the recently released Apache advisory. Apache has confirmed that three vulnerabilities (CVE-2021-41773, CVE-2021-42013 & CVE-2021-41524) exist in their HTTP Server Versions 2.4.49 & 2.4.50, two of which are being exploited in the wild (CVE-2021-41773 & CVE-2021-42013). Apache has released multiple new versions of HTTP server to help remediate these vulnerabilities.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s vulnerable HTTP Server for potential impacts from these reported vulnerabilities and validating actions.

VMware Advisory - Multiple CVE's (2021 September 30)

Publication Date: 2021 September 30

Update Date: 2021 October 6

Philips is currently monitoring developments and updates related to the recently released VMware advisory VMSA-2021-0020.1. VMware has confirmed that multiple vulnerabilities exist in their vCenter Server and cloud foundation products.

VMware has released mitigations and workarounds to help remediate the vulnerabilities. As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing VMware’s vulnerable products for potential impacts from these reported vulnerabilities and validating actions.

Begin Update A: 2021 October 6

Philips is providing the list below to better assist our customers in identifying any Philips’ products vulnerable to the “VMware Vulnerabilities”. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

IntelliSpace PACS***

*Software only products with customer owned Operating Systems. For products solutions where the server was provided, it is customer responsibility to validate and deploy patches.

**Information or patch available in Incenter

*** Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

End Update A

Apple Advisory CVE-2021-30858 and CVE-2021-30860 (2021 September 19)

Publication Date: 2021 September 19

Update Date: 2021 October 14

Philips is currently monitoring developments and updates related to the recent Apple vulnerabilities. Apple released a security update to address multiple vulnerabilities (CVE-2021-30858 and CVE-2021-30860) in several products.

Philips suggests that you review the Apple security advisory and install any necessary update as recommended by Apple.

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing the vulnerable Apple operating systems for potential impacts from these reported vulnerabilities and validating actions.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

When a product does require security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Begin Update A: 2021 October 14

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-30858 & CVE-2021-30860. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

Product	Product	Product
CarePoint

*Software only products
with customer owned Operating Systems. For products solutions where the server
was provided, it is customer responsibility to validate and deploy patches.

**Information or patch available in Incenter.

Note:
For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

End Update A

Microsoft MSHTML RCE Advisory CVE-2021-40444 (2021 September 13)

Publication Date: 2021 September 13

Update Date: 2021 September 13

Philips is currently monitoring developments and updates related to the recent Microsoft MSHTML Remote Code Execution vulnerability(CVE-2021-40444). Successful exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

Microsoft has released mitigations and workarounds to help remediate this vulnerability. Philips is currently in the process of evaluating this solution. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.

At this time, no Philips products are impacted. If we become aware of an affected product, we will post that information here.

Citrix Hypervisor Advisory (2021 September 13)

Publication Date: 2021 September 13

Update Date: 2021 September 13

Philips is currently monitoring developments and updates related to the recent Citrix Hypervisor security advisory. Multiple vulnerabilities have been identified in the Citrix Hypervisor that may allow privileged code in a guest virtual machine to compromise or crash the host.

Citrix has released hotfixes to help remediate these vulnerabilities. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Citrix hypervisors for potential impacts from these reported vulnerabilities and validating actions.

At this time, no Philips products are impacted. If we become aware of an affected product, we will post that information here.

HiveNightmare Advisory CVE-2021-36934 (2021 September 1)

Publication Date: 2021 September 1

Update Date: 2021 September 1

Philips is currently monitoring developments and updates related to the recent Microsoft Windows elevation of privilege vulnerability named HiveNightmare (CVE-2021-36934). With a successful exploitation of this vulnerability an attacker could run arbitrary code with system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft has released a security patch and a workaround to help remediate this vulnerability. Philips is currently in the process of evaluating this solution. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.

Philips is providing the list below to better assist our customers in identifying any Philips’ products vulnerable to the “HiveNightmare (CVE-2021-36934)” vulnerability. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

Product	Product	Product
ACSYS Gateway (1.x)*	e-Whiteboard(1.x)*	ORSYS(G4,X1)*
ACSYS/ACSYS-ER (Ke,Kn,Ki)*	Holter Recorder DigiTrak XT (DTXT)(3.0.3)*	SPhAERA(5.x)
CDE(2.x)*	IntelliSpace Perinatal (K.0)*	ST80i A.02(2.05)*
Diagnostic Site Server (DSS)	IntelliSpace Portal Workstation (11.0/12.0)**	Vi-Pros(1.x)*
eTriage(2.x)*	IntelliVue XDS(M.0/N.01)*

*Software only products with customer owned Operating Systems. For products solutions where the server was provided, it is customer responsibility to validate and deploy patches.
**Information or patch available in Incenter

Note:

PetitPotam Advisory CVE-2021-36942 (2021 September 7)

Publication Date: 2021 September 7
Update Date: 2021 September 7

Philips is currently monitoring developments and updates related to the recent Microsoft Windows vulnerability named PetitPotam (CVE-2021-36942). With a successful exploitation of this vulnerability an attacker could compromise Windows domain controllers and other Windows servers.

Microsoft has released a security patch and provided a mitigation to help remediate this vulnerability. Philips is currently in the process of evaluating this solution. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.

Philips is providing the list below to better assist our customers in identifying any Philips’ products vulnerable to the “PetitPotam (CVE-2021-36942)” vulnerability. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

ACSYS Gateway (1.x)*	e-Whiteboard(1.x)*	ORSYS(G4,X1)*
ACSYS/ACSYS-ER (Ke,Kn,Ki)*	IntelliSpace PACS	UDM/ISR
CDE(2.x)*	IntelliSpace Perinatal (J,K)	Vi-Pros(1.x)*
eTriage(2.x)*	IntelliVue XDS (M,N,P)

*Software only products with customer owned Operating Systems. For products solutions where the server was provided, it is customer responsibility to validate and deploy patches.

Microsoft Windows Print Spooler Elevation of Privileges Vulnerability CVE-2021-34481 (2021 August 13)

Publication Date: 2021 Aug 13
Update Date: 2021 Aug 29

Philips is currently monitoring developments and updates related to a recent Microsoft alert, providing guidance for a Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-34481). The vulnerability impacts computers running the Print Spooler service on Windows client and server versions starting with Windows 7 and higher.

According to Microsoft, the vulnerability can be exploited when the Windows Print Spooler service improperly performs privileged file operations. Similar to a previously reported vulnerability CVE-2021-34527 (PrintNightmare), this distinct vulnerability exists in the Print Spooler services. However, unlike PrintNightmare, the security impact of this distinct CVE-2021-34481 Print Spooler vulnerability is “local” elevation of privileges. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

Begin Update A: 2021 August 29

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to the Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2021-34481) vulnerability. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

CareEvent (C.0x)	IntelliSpace Critical Care and Anesthesia (H.x, J.x)	IntelliVue Guardian Software (E.0x)*
Data Warehouse Connect	IntelliSpace Perinatal (K.0)*	IntelliVue XDS (M.0/N.01)*
eICU eCare Manager*	IntelliSpace Portal Server (11.0/12.0)**	Multi-Patient Bridge (V1.0.0.1)*
eICU eSearch*	IntelliSpace Portal Workstation (11.0/12.0)**	Philips Device Management Dashboard*
FocalPoint (A.0/A.01)*	IntelliSpace Portal Enterprise Concerto (11.0/12.0)**	PIC iX (B.0x/C.0x)

*Software only products with customer owned Operating Systems. For products solutions where the server was provided, it is customer responsibility to validate and deploy patches.

**Information or patch available in Incenter.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

End Update A

SolarWinds Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 (2021 July 13)

Publication Date: 2021 July 13

Update Date: 2021 July 13

Philips is currently monitoring developments related to recent reports of a security vulnerability affecting the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP. According to SolarWinds, the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.

Our global security teams are analyzing updates from SolarWinds, in the event that this issue may potentially be related to known security vulnerabilities. CVE-2021-35211 was assigned to Serv-U Remote Memory Escape Vulnerability.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our solutions. The company is a recognized leader in health technology cybersecurity. As part of the global Philips Product Security Policy, the company conducts extensive, ongoing analysis of our solutions, often in collaboration with customers, researchers, and government agencies.

To date, Philips’s review has not identified products affected by the Solarwinds software vulnerabilities. Philips does not utilize Solarwinds in an external facing capacity when servicing or monitoring medical devices through Philips Remote Service Network (RSN/PRS). Our review and analysis is ongoing.

Kaseya VSA Supply-Chain Ransomware Attack (2021 July 5)

Publication Date: 2021 July 5

Update Date: 2021 July 5

Philips is aware and currently monitoring supply chain attack affecting Kaseya VSA, a remote management and network monitoring product. We are aware of the attack, which has been leveraged to deploy ransomware to networks which utilize Kaseya VSA. The variant of ransomware deployed is REvil/Sodinokibi. Preliminary details about the activity suggest that VSA admin accounts are disabled shortly before ransomware is deployed.

Philips is not leveraging Kaseya VSA in its Remote Service access (PRS) to our customers and until now no products have been identified leveraging this technology. We continue to evaluate all our products and if we identify any products or services affected we will publish this here.

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerability and validating actions. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

Philips Vue PACS (2021 June 28)

Publication Date: 2021 June 29

Update Date: 2023 February 16

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding potential issues related to the certain versions Philips Vue PACS (Picture Archiving and Communications System) software and related products:

Vue PACS versions 12.2.x.x and prior
Vue MyVue versions 12.2.x.x and prior
Vue Speech versions 12.2.x.x and prior
Vue Motion versions 12.2.1.5 and prior

Philips has identified potential security vulnerabilities that under specific conditions could impact or potentially compromise patient confidentiality, system integrity, and/or system availability. To minimize the potential risk of these vulnerabilities, Philips recommends that users upgrade to the latest Philips Vue PACS software running on Windows Operating System 2019 and enabling security patching procedures for timely security updates. Philips’ analysis has shown that these issues require a range of low skill to high skill to exploit. In this event, unauthorized users may be able to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash. Philips has identified that some of the affected vulnerabilities could be attacked remotely. Exploits that could target some of the vulnerabilities are known to be publicly available.

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue. It is unlikely that this potential vulnerability would impact clinical use. Philips released software updates and has controlling mitigations on the affected software to limit the risk and exploitability of most of these vulnerabilities.

Philips has reported these potential vulnerabilities and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Vue PACS solutions are advised by Philips to contact their local Philips service support team. Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity

ADDENDUM: In January 2022, Philips added one low-severity vulnerability report (CWE-23) to the original July 2021 Coordinated Vulnerability Disclosure posted by CISA in July 2021. This additional vulnerability did not alter the overall CvSS3 Score for the reported vulnerabilities in this product.

ADDENDUM 2: In March 2022, Philips updated the advisory to announce earlier versions than originally planned were released that remediated CWE-665 and CWE-327 for Speech. Also, 12.2.8.100 was released in Q1 of 2022 that remediates CWE-665 and CWE-710 for MyVue, CWE-79, CWE-693, CWE-665, CWE-1188, CWE-327, CWE-176, CWE-522, CWE-710, and CWE-707 for PACS. CWE-522 with a low CVSS score will be remediated in Q3 of 2023.

ADDENDUM 3: In February 2023, Philips updated the advisory to note that CWE-23 had been remediated in December 2021 with the released version of 12.2.1.6 for VuePAC (WFM), Vue Motion (Enterprise Viewer), Vue Explorer, and Web System Configuration.

Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

Philips Interoperability Solutions XDS (2021 June 24)

Publication Date: 2021 June 24

Update Date: 2021 June 24

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a potential issue related to the certain versions of Philips Interoperability Solutions XDS (Software Versions 2.5 to 3.11 and 2018-1 to 2021-1).

Philips has identified a potential low-severity security vulnerability that requires a high skill level to exploit, and for which there are no known public exploits available. A highly motivated attacker can read the Lightweight Directory Access Protocol (LDAP) system credentials by gaining access to the network channel being used for communication. Should this occur, clear text transmission of sensitive information risk applies to configurations which are configured to use LDAP via Transport Layer Security (TLS).

To minimize the potential risk of these vulnerabilities, Philips has identified the following guidance and mitigations:

Administrators should disable LDAP referrals on their LDAP servers if LDAP via TLS is used.
Administrators should configure their LDAP servers to include a complete structure to search.

The Philips software is not be used for clinical use nor rated as a medical device; therefore, this potential vulnerability would not impact patient safety.

Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Interoperability Solutions XDS installations are advised by Philips to contact their local Philips service support team. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions or call 1-800-722-9377

Publication on Cybersecurity & Infrastructure Security Agency (CISA) website: https://us-cert.cisa.gov/ics/advisories/icsma-21-175-01

VMware Advisory CVE-2021-21985 and CVE-2021-21986 (2021 May 26)

Publication Date: 2021 May 26

Update Date: 2021 May 28

Philips continues to review developments related to recently reported VMware vCenter Server and VMware Cloud Foundation critical and medium rated vulnerabilities (CVE-2021-21985 & CVE-2021-21986). According to VMware advisory VMSA-2021-0010 these VMware vCenter Server updates address remote code execution and authentication vulnerabilities.

Following evaluation of the reported VMWare vulnerabilities, Philips has identified a limited number of products that contain affected VMWare software. Philips analysis has determined that the majority of these products are not affected by the reported vulnerability.

For products potentially affected by the VMWare vulnerability, Philips has determined that if affected VMWare software is updated the most recent versions containing the security upgrade, the reported vulnerabilities are mitigated. Philips does not provide or maintain VMware for customers using these products and advises customers to assess their VMware environment to determine if a software update/upgrade is necessary.

Affected Philips systems are safe for continued operation consistent with their Instructions for Use. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips-approved product specifications.

Begin Update A: 2021 May 28

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running on VMware vCenter Server and VMware Cloud Foundation that could be vulnerable to CVE-2021-21985 or CVE-2021-21986. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

CareEvent C.0x*	IntelliSpace PACS 4.4, 4.4.551, 4.4.553***	Patient Information Center (PIC) iX B.0x/C.0x*
Clinical Collaboration Platform (registered as VuePACS)*	IntelliSpace Portal Server and IntelliSpace Portal Enterprise*	PerformanceBridge Focal Point A.0x*
eCareManger 4.2.x/4.3.x/4.4.x/4.5.x*	IntelliSpace Portal Enterprise (Concerto) solution with hardware and VM/vSphere infrastructure supplied by Philips*,**	Pinnacle 18.x***
IntelliSite Pathology Solution	IntelliVue Guardian Software (IGS) E.0x*	RIS (formally known as Vue)*
IntelliSpace Critical Care and Anethesia (ICCA) H.02/J.01*	Multi-patient Bridge 1.0.x/2.0.x*	UDM 1.1, 2.1

*Software only product, customers may have installed these products on VMware. For these products, Philips does not validate VMware security patches. It is the customer responsibility to validate and deploy VMware patches.

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

****In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure. In case there is no valid service level agreement, please contact your local Philips IntelliSpace Portal representative.

End Update A

Microsoft Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) – PrintNightmare (2 July 2021)

Publication Date: 2021 July 2

Update Date: 2021 August 30

Philips is currently monitoring developments and updates related to the recent Microsoft alert, providing guidance for a Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527). We are aware of a public report, known as “PrintNightmare”. The vulnerability impacts computers running the Print Spooler service on Windows client and server versions starting with Windows 7 and higher.

According to Microsoft, the vulnerability can be exploited as an authenticated user calling RpcAddPrinterDriverEx(). An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft has released security patches to address both CVE-2021-1675 & CVE-2021-34527 vulnerabilities. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.

Begin Update E: 2021 August 30

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-34527. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Product	Product	Product
ACSYS Gateway & ACSYS-ER (1)	InGent RIS (1)	ORSYS (1)
CareEvent	Intellibridge Enterprise (IBE) (1)	PIC iX (B.0x, C.0x)
CDE (1)	IntelliSpace Breast	Pinnacle 18.x
Data Warehouse Connect	IntelliSpace Cardiovascular (ISCV) (1)	RIS (1)
Diagnostic Site Server (DSS) (5)	IntelliSpace Critical Care and Anesthesia (ICCA)	SensaVue HD and fMRI
Dosewise Portal (1)	IntelliSpace ECG Management System (ECG) (4)	SPARSH (SPM + PA) (1)
DynaCAD Breast and Prostate (1)	IntelliSpace Perinatal (OBTV) (1)	SPhAERA (3.x, 4.x, 5.x)
DynaSuite Neuro 3 (1)	InteliSpace Portal Server (ISP) (1)	ST80i A.02 (1)
eICU eCare Manager & eSearch (1)	IntelliSpace Portal Workstation (1)	UroNav (1.x, 2.x, 3)
eTriage (1)	IntelliVue Guardian Software (1)	Vi-Pros (1)
e-Whiteboard (1)	IntelliVue XDS (1)	VSS Dashboard (1)
Focal Point (1)	i-Report (1)	Xper IM 1.5;2.x-5.x (1)
Forcare Suite (1) (3)	Lung Cancer Screening (1)	Xcelera 4.1 (1)
Holter Recorder DigiTrak XT (DTXT) (1)	Multi-Patient Bridge (MPB) (1)
Image Management (1)	Performance Bridge (1)

(1) Software only products with customer owned Operating Systems. For these products, Philips does not validate security patches, it is the customer responsibility to validate and deploy patches.

(2) Information or patch available in Incenter

(3) Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

(4) In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure.

(5) Product is configured to automatically download patches

Note:

End Update E

Begin Update D: 2021 August 18

Product	Product	Product
ACSYS Gateway & ACSYS-ER (1)	InGent RIS (1)	ORSYS (1)
CareEvent	Intellibridge Enterprise (IBE) (1)	Performance Bridge (1)
CDE (1)	IntelliSpace Breast	PIC iX (B.0x, C.0x)
Data Warehouse Connect	IntelliSpace Cardiovascular (ISCV) (1)	Pinnacle 18.x
Diagnostic Site Server (DSS) (5)	IntelliSpace Critical Care and Anesthesia (ICCA)	RIS (1)
Dosewise Portal (1)	IntelliSpace ECG Management System (ECG) (4)	SensaVue HD and fMRI
DynaCAD Breast and Prostate (1)	IntelliSpace Perinatal (OBTV) (1)	SPARSH (SPM + PA) (1)
DynaSuite Neuro 3 (1)	InteliSpace Portal Server (ISP) (1)	SPhAERA (3.x, 4.x, 5.x)
eICU eCare Manager & eSearch (1)	IntelliSpace Portal Workstation (1)	ST80i A.02 (1)
eTriage (1)	IntelliVue Guardian Software (1)	UroNav (1.x, 2.x, 3)
e-Whiteboard (1)	IntelliVue XDS (1)	Vi-Pros (1)
Focal Point (1)	IntraSight	VSS Dashboard (1)
Forcare Suite (1) (3)	i-Report (1)	Xper IM 1.5;2.x-5.x (1)
Holter Recorder DigiTrak XT (DTXT) (1)	Lung Cancer Screening (1)	Xcelera 4.1 (1)
Image Management (1)	Multi-Patient Bridge (MPB) (1)

(1) Software only products with customer owned Operating Systems. For these products, Philips does not validate security patches, it is the customer responsibility to validate and deploy patches.

(2) Information or patch available in Incenter

(3) Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

(4) In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure.

(5) Product is configured to automatically download patches

Note:

End Update D

Begin Update C: 2021 August 3

Product	Product	Product
ACSYS Gateway & ACSYS-ER (1)	InGent RIS (1)	Performance Bridge (1)
CardioMD I/II/III/IV	Intellibridge Enterprise (IBE) (1)	PIC iX (B.0x, C.0x)
CareEvent (4)	IntelliSpace Breast	Pinnacle 18.x
CDE (1)	IntelliSpace Cardiovascular (ISCV) (1)	RIS (1)
Data Warehouse Connect (1) (2)	IntelliSpace Critical Care and Anesthesia (ICCA)	SensaVue HD and fMRI
Diagnostic Site Server (DSS) (5)	IntelliSpace ECG Management System (ECG) (4)	SPARSH (SPM + PA) (1)
Dosewise Portal (1)	IntelliSpace Perinatal (OBTV) (1)	SPhAERA (3.x, 4.x, 5.x)
DynaCAD Breast and Prostate (1)	InteliSpace Portal Server (ISP) (1)	ST80i A.02 (1)
DynaSuite Neuro 3 (1)	IntelliSpace Portal Workstation (1)	UroNav (1.x, 2.x, 3)
eICU eCare Manager & eSearch (1)	IntelliVue Guardian Software (1)	Vi-Pros (1)
eTriage (1)	IntelliVue XDS (1)	VSS Dashboard (1)
e-Whiteboard (1)	IntraSight	Xper IM 1.5;2.x-5.x (1)
Focal Point (1)	i-Report (1)	Xcelera 4.1 (1)
Forcare Suite (1) (3)	Lung Cancer Screening (1)
Holter Recorder DigiTrak XT (DTXT) (1)	Multi-Patient Bridge (MPB) (1)
Image Management (1)	ORSYS (1)

(1) Software only products with customer owned Operating Systems. For these products, Philips does not validate security patches, it is the customer responsibility to validate and deploy patches.

(2) Information or patch available in Incenter

(3) Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

(4) In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure.

(5) Product is configured to automatically download patches

Note:

End Update C

Begin Update B: 2021 July 19

Product	Product	Product
ACSYS Gateway & ACSYS-ER (1)	InGent RIS (1)	Multi-Patient Bridge (MPB) (1)
CareEvent	Intellibridge Enterprise (IBE) (1)	ORSYS (1)
CDE (1)	IntelliSpace Breast	Performance Bridge (1)
Data Warehouse Connect	IntelliSpace Cardiovascular (ISCV) (1)	PIC iX (B.0x, C.0x)
Diagnostic Site Server (DSS) (5)	IntelliSpace Critical Care and Anesthesia (ICCA)	Pinnacle 18.x
Dosewise Portal (1)	IntelliSpace ECG Management System (ECG) (1)	RIS (1)
DynaCAD Breast and Prostate (1)	IntelliSpace Perinatal (OBTV) (1)	SensaVue HD and fMRI
DynaSuite Neuro 3 (1)	InteliSpace Portal Server (ISP) (1)	SPARSH (SPM + PA) (1)
eICU eCare Manager & eSearch (1)	IntelliSpace Portal Workstation (1)	SPhAERA (3.x, 4.x, 5.x)
eTriage (1)	IntelliVue Guardian Software (1)	ST80i A.02 (1)
e-Whiteboard (1)	IntelliVue XDS (1)	UroNav (1.x, 2.x, 3)
Focal Point (1)	IntraSight	Vi-Pros (1)
Forcare Suite (1) (3)	ISEE (4)	VSS Dashboard (1)
Holter Recorder DigiTrak XT (DTXT) (1)	i-Report (1)	Xper IM 1.5;2.x-5.x (1)
Image Management (1)	Lung Cancer Screening (1)	Xcelera 4.1 (1)

(1) Software only products with customer owned Operating Systems. For these products, Philips does not validate security patches, it is the customer responsibility to validate and deploy patches.

(2) Information or patch available in Incenter

(3) Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

(4) In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure.

(5) Product is configured to automatically download patches

Note:

End Update B

Begin Update A: 2021 July 12

Product	Product	Product
ACSYS Gateway & ACSYS-ER (1)	IntelliSpace Breast	PIC iX (B.0x, C.0x)
CareEvent	IntelliSpace Cardiovascular (ISCV) (1)	Pinnacle 18.x
CDE (1)	IntelliSpace Critical Care and Anesthesia (ICCA)	RIS (1)
Data Warehouse Connect	IntelliSpace ECG Management System (ECG) (1)	SensaVue HD and fMRI
Diagnostic Site Server (DSS) (5)	IntelliSpace Perinatal (OBTV) (1)	SPARSH (SPM + PA) (1)
Dosewise Portal (1)	InteliSpace Portal Server (ISP) (1)	SPhAERA (3.x, 4.x, 5.x)
DynaCAD Breast and Prostate (1)	IntelliSpace Portal Workstation (1)	ST80i A.02 (1)
DynaSuite Neuro 3 (1)	IntelliVue Guardian Software (1)	SyncVision
eICU eCare Manager & eSearch (1)	IntelliVue XDS (1)	UroNav (1.x, 2.x, 3)
eTriage (1)	IntraSight	Vi-Pros (1)
e-Whiteboard (1)	ISEE	Volcano ComboMap System
Forcare Suite (1) (3)	i-Report (1)	Volcano Core Imaging System
Holter Recorder DigiTrak XT (DTXT) (1)	Lung Cancer Screening (1)	Volcano Core Mobile Imaging System
Image Management (1)	Multi-Patient Bridge (MPB) (1)	VSS Dashboard (1)
InGent RIS (1)	ORSYS (1)	Xper IM 1.5;2.x-5.x (1)
Intellibridge Enterprise (IBE) (1)	Performance Bridge (1)	Xcelera 4.1 (1)

(1) Software only products with customer owned Operating Systems. For these products, Philips does not validate security patches, it is the customer responsibility to validate and deploy patches.

(2) Information or patch available in Incenter

(3) Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

(4) In case of valid service level agreement, Philips is in the process of validating and deploying the patch on the Philips provided infrastructure.

(5) Product is configured to automatically download patches

Note:

End Update A

Conti Ransomware Advisory (2021 May 24)

Publication Date: 2021 May 20

Update Date: 2021 May 24

Philips is currently monitoring developments and updates related to the Federal Bureau of Investigation (FBI) (CP-000147-MW). The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.

Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti actors use remote access tools, which most often beacon to domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors may use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers. Other indicators of Conti activity include the appearance of new accounts and tools—particularly Sysinternals—which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons, and disabled endpoint detection.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

Begin Update A: 24 May 2021

At this time, no Philips products or solutions are impacted. If we become aware of an affected product or solution, we will post that information here.

For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

End Update A

BadAlloc RTOS Advisory (2021 May 7)

Publication Date: 2021 May 7

Update Date: 2021 September 14

Philips is currently monitoring developments and updates related to the Cybersecurity & Infrastructure Security Agency (CISA) advisory (ICSA-21-119-04). We are aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries.

Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution. This critical vulnerability (CVSS v3 9.8) affects multiple RTOS vendors, most of whom already have a mitigation available.

Begin Update C: 2021 September 14

The products previously listed as vulnerable have been removed. After further investigations and testing it was deemed that due to network configurations and network protocols used with the products, there is no impact from the “BadAlloc” vulnerability.

Begin Update B: 2021 August 24

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to the “BadAlloc” vulnerability. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

BV Endura (2.3)	BV Pulsera (2.3)	Veradius Neo (1.2)
Veradius Unity (2.1)

*Software only products with customer owned Operating Systems. For products solutions where the server was provided, it is customer responsibility to validate and deploy patches.

**Information or patch available in Incenter

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

End Update B

Begin Update A: 2021 August 17

To date, Philips’s review has not identified products affected by the “BadAlloc” vulnerabilities. Our review and analysis is ongoing.

Note:
For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

End Update A

Ivanti Pulse Connect Secure Advisory (2021 May 4)

Publication Date: 2021 May 4

Update Date: 2021 May 4

Philips is currently monitoring developments and updates related to the Cybersecurity & Infrastructure Security Agency (CISA) advisory (AA21-110A).

CISA partners have observed active exploitation of vulnerabilities in Ivanti’s Pulse Connect Secure products. Successful exploitation of these vulnerabilities allows an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. Ivanti has provided a mitigation and is in the process of developing a patch.

At this time, no Philips products are impacted. If we become aware of an affected product, we will post that information here.

NAME:WRECK Advisory (2021 April 15)

Publication Date: 2021 April 15

Update Date: 2021 April 30

Philips is currently monitoring developments and updates related to nine DNS vulnerabilities reported by cybersecurity researchers from Forescout and JSOF. The set of nine vulnerabilities, referred to as NAME:WRECK affect Domain Name System (DNS) implementations which affect at least four common TCP/IP stacks – FreeBSD, IPNet, NetX and Nucleus NET.

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing DNS with affected TCP/IP stacks for potential impacts from these reported vulnerabilities and validating actions.

Begin Update A: 2021 April 30

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to the NAME:WRECK vulnerabilities. However, the list below is not comprehensive and may be updated as necessary if more products are identified.

Airvibe	Jaguar	Polaris Robot Vacuum Cleaner
Comfort	Mario	Puma
Intellispace Perinatal (J.x)*	Microcube	SIMBA

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

End Update A

Philips Gemini PET/CT Family systems (2021 March 25)

Publication Date: 2021 March 25

Update Date: 2021 March 25

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a very low-severity issue related to Philips Gemini PET/CT Family systems (CVSS v3 Score – 2.4 on a scale of 10).

This potential issue is related to storage of information in a file system or device without access control, specific to removable media. Should this issue be exploited, there is a possibility that sensitive information may be accessible by unauthorized parties. This potential vulnerability requires physical access to the removable media to exploit.

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.

Philips is reminding customers that users should operate all Philips deployed and supported Gemini PET/CT systems within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.

Customers with questions regarding their specific Philips Gemini PET/CT installations should contact their Philips support representative, visit the customer service solutions web site at https://www.usa.philips.com/healthcare/solutions/customer-service-solutions, or call 1-800-722-9377.

Publication on Cybersecurity & Infrastructure Security Agency (CISA) website: https://us-cert.cisa.gov/ics/advisories/icsma-21-084-01

F5 K02566623 Advisory (CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992 (2021 March 10)

Publication Date: 2021 March 10

Update Date: 2021 March 12

Philips is currently monitoring developments and updates related to the recent F5 alert concerning four critical CVEs, along with three related CVEs (two highs and one medium).

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing F5 for potential impacts from these reported vulnerabilities and validating actions. F5 has released a patch to help remediate this vulnerability. Philips is currently in the process of validating the F5 patch and vendor recommended mitigation options. Once the F5 patch has been tested and validated by Philips with the impacted products, the patch will either be installed by Philips or made available for installation by customers, depending on contract details.

Begin Update A: March 12, 2020

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Clinical Collaboration Platform ***

(formally called Vue PACS)

IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***

Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***

VueBeyond

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

End Update A

Microsoft Exchange Server Advisory AA21-062A (2021 March 8)

Publication Date: 2021 March 8

Update Date: 2021 March 15

Philips is currently monitoring developments and updates related to the Cybersecurity & Infrastructure Security Agency (CISA) advisory (AA21-062A). CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.

Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.

At this time, no Philips products are impacted. If we become aware of an affected product, we will post that information here.

Philips Interventional Workstations (2021 January 19)

Publication Date: 2021 January 19

Update Date: 2021 January 19

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding software versions of Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, and ViewForum running on older Haswell workstations.

Philips has become aware of a potential moderate-severity security vulnerability in affected systems. This potential vulnerability requires access to the hospital network to exploit. Should successful exploitation occur, there is a possibility that an attacker already within the hospital network could potentially shut down or restart the workstation. In the event that the workstation is remotely shut down, physicians are still able to use diagnostic imaging from the X-ray system.

To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue. Philips has released a software patch to proactively address this vulnerability in the installed base and will schedule service activities with impacted customers to implement the correction. As a mitigation for this potential security vulnerability, customers with expertise are advised to change the IPMI password for the workstation interface.

Customers with questions regarding their specific Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, and ViewForum installations should contact their Philips support representative or call 1-800-722-9377 with reference to field change order (FCO) number FCO72200452.

Cybersecurity & Infrastructure Security Agency (CISA) Advisory: Philips Interventional Workstations | CISA

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.

Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.