product security main L

Please find our Security Advisories here

Security Advisory Archives (2023)

F5 Big-IP Vulnerability (CVE-2023-46747) (2023 November 23)

Publication Date: 2023 November 23

Update Date: 2023 November 23

 

Philips is aware and is currently monitoring developments and updates related to the recent BIG-IP Configuration utility unauthenticated remote code execution vulnerability (CVE-2023-46747).

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

837507 – IntelliSpace PACS 2

836240 - Universal Data Manager 2 (UDM)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Software only products with customer owned operating systems.

2 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Citrix Bleed Advisory (CVE-2023-4966, CVE-2023-4967) (2023 November 11)

Publication Date: 2023 November 11

Update Date: 2024 March 28

 

Philips is currently monitoring developments and updates related to the active, targeted exploitation of a vulnerability in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-4966 & CVE-2023-4967). This vulnerability is also known as Citrix Bleed. The affected products contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Mirth Connect Advisory (CVE-2023-37679, CVE-2023-43208) (2023 November 3)

Publication Date: 2023 November 3

Update Date: 2023 November 3

 

Philips is currently monitoring developments and updates related to recently released vulnerabilities in Mirth Connect open source data integration platform (CVE-2023-37679 and CVE-2023-43208). This is an easily exploitable, unauthenticated remote code execution vulnerability. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by these vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

839001 – Vue PACS 1

839007 – Vue RIS/EIS 1

For all above products Philips is evaluating the best possible mitigations.

 

1 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please contact your local service support team.

 

Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability (CVE-2023-20198) (2023 October 20)

Publication Date: 2023 October 20

Update Date: 2023 October 24

 

Philips is currently monitoring developments and updates related to recently released Cisco Networks vulnerabilities in the IOS XE Software Web UI (CVE-2023-20198 and CVE-2023-20273). Successful exploitation of the first vulnerability, (CVE-2023-20198), allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. The attacker can then exploit another component of the web UI feature, (CVE-2023-20273), leveraging the new local user to elevate privilege to root and write the implant to the file system.

 

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses. Details pertaining to applicability and remediation can be found here.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Microsoft Windows Server 2012 and Server 2012 Rs EoL (2023-October-10)

Publication Date: October 10, 2023

Update Date: February 22, 2024

 

Philips is aware that on October 10th Microsoft announced end of life for Windows Server 2012 and Windows Server 2012 R2. Microsoft states that after this date, these Microsoft products will no longer receive security updates, no-security updates, bug fixes, technical support or online technical content updates.

 

As part of Philips product lifecycle management processes, product security policy, and associated protocols, Philips has been evaluating Philips products and solutions that utilize these operating systems. Philips is currently working to provide Microsoft Extended Security Updates (ESUs) for up to three years, until October 13, 2026, for products and solutions that cannot migrate to a supported vendor operating system.

 

Philips products and solutions must be deployed and operated within Philips-approved product specifications as noted in their Instructions for Use.  Also, as required by government regulations in the markets we operate in, all changes of configuration or software to Philips’ products or solutions (including operating system security updates and patches) may be implemented only by following Philips product-specific, verified and validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s announcement. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Capsule MDIP 1

861431 - HeartStart Event Review version 4.2, 4.3, 5.2)1, 3

IntelliSpace Picture Archive & Communication Systems (PACS) 2

Capsule Surveillance 1

861440/861441 - HeartStart Telemedicine version 4.21, 3

866009 - IntelliVue Guardian Software (IGS) version E.0x1, 3

860292 - Holter SW 1, 3

IntelliSite Pathology Solution (PIPS) 1

867019 - IntelliVue XDS versions N.00, N.01, N.02, P.00.00, P.00.011, 3

861487- HeartStart Configure version 3.11, 3

VSS Dashboard1

861451- HeartStart Data Messenger version 4.3.11, 3

867061 - IntelliSpace Perinatal (ISP) [OBTV] versions K.00.10, K.00.20, K.00.21, K.00.221

Legend:

1 Software only products. Customer responsible for Operating System (OS). Customers are advised to utilize the most current and up-to-date operating system. The lists of validated Operating Systems for the products are published in Incenter.  Please contact your local service support team for assistance.

2 Philips hosting and managed services businesses are in the process of evaluating, validating and utilizing Microsoft Extended Security Updates (ESUs) to the hosting and managed infrastructures.

3 Information regarding validated OS or ESU available in Incenter.

Cisco ASA and FTD Advisory (CVE-2023-20269) (2023 September 14)

Publication Date: 2023 September 14

Update Date: 2023 September 14

 

Philips is currently monitoring developments and updates related to a recently released Cisco Networks zero-day vulnerability in the remote access VPN feature its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) (CVE-2023-20269). Successful exploitation of this vulnerability could allow unauthorized remote attackers to conduct brute force attacks against existing accounts. By accessing those accounts, the attackers can establish a clientless SSL VPN session in the breached organization's network, which can have varying repercussions depending on the victim's network configuration.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Juniper Networks Junos OS Advisory (CVE-2023-4481) (2023 September 1)

Publication Date: 2023 September 1

Update Date: 2023 September 1

 

Philips is currently monitoring developments and updates related to a recently released Juniper Networks security bulletin concerning a critical vulnerability (CVE-2023-4481) impacting the Junos and Junos Evolved operating systems. Successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS).

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.


At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Citrix NetScaler ADC and Gateway (CVE-2023-3466, 2023-3467, 2023-3519) (2023 July 24)

Publication Date: 2023 July 24

Update Date: 2023 July 24

 

Philips is currently monitoring developments and updates related to three vulnerabilities discovered in Citrix ADC and Gateway (CVE-2023-3466, CVE-2023-3467, CVE-2023-3519). Applicable products include Citrix NetScaler ADC and NetScaler Gateway.

 

CVE-2023-3466 references a Reflected Cross-Site Scripting (XSS) vulnerability.

CVE-2023-3467 references a Privilege Escalation to root administrator (nsroot) vulnerability.

CVE-2023-3519 references an Unauthenticated remote code execution vulnerability.

 

These vulnerabilities affect the following supported versions of NetScaler ADC and NetScaler Gateway:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Windows SmartScreen Security Feature Bypass Advisory (CVE-2023-32049) (2023 July 13)

Publication Date: 2023 July 13

Update Date: 2023 July 13

 

Philips is currently monitoring developments and updates related to a vulnerability (CVE-2023-32049) within Microsoft Windows SmartScreen, an early warning system designed to protect against malicious websites used for phishing attacks or malware distribution.


This flaw was discovered internally by the Microsoft Threat Intelligence Center and a patch for this vulnerability is now available as part of Microsoft’s July security update.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Progress Software MOVEit Advisory (Multiple CVE's) (2023 July 12)

Publication Date: 2023 July 12

Update Date: 2023 July 17

 

Philips is currently monitoring developments and updates related to a recently released Progress Software Corporation security bulletin concerning three vulnerabilities (CVE-2023-36932, CVE-2023-36933 and CVE-2023-36934) impacting the MOVEit Secure managed file transfer software. Successful exploitation of these vulnerabilities could allow an attacker to get access to sensitive information.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from these reported vulnerabilities and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Encore Anywhere – All Versions 1

Care Orchestrator – All Versions 1

For all above products Philips is evaluating the best possible mitigations.

1 Product has been patched against this exploit.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Citrix ShareFile StorageZone (CVE-2023-24489) - (2023 June 23)

Publication Date: 2023 June 23

Update Date: 2023 June 23

Philips is currently monitoring developments and updates related to a vulnerability discovered in ShareFile Storage Zones Controller which could allow for remote code execution (CVE-2023-24489). Applicable products include Citrix ShareFile and Citrix Content Collaboration.


This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. Successful exploitation of the most severe of these vulnerabilities could allow for remote compromise by the user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

MOVEit Transfer Zero-Day (CVE-2023-34362) - (2023 June 07)

Publication Date: 2023 June 7

Update Date: 2023 July 10

 

Philips is currently monitoring developments and updates related to an observed wide exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software for subsequent data theft. These vulnerabilities were announced by Progress Software Corporation and have been assigned CVE-2023-34362 and CVE-2023-35036.


According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from these reported vulnerabilities and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Encore Anywhere 1

Care Orchestrator 1

For all above products Philips is evaluating the best possible mitigations.

 

1 Product has been patched against this exploit.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft WinVerifyTrust Signature Validation Advisory (CVE-2013-3900) (2023 May 3)

Publication Date: 2023 May 3

Update Date: 2023 May 10

 

Philips is currently monitoring developments and updates related to a vulnerability (CVE-2013-3900) within the WinVerifyTrust Signature Validation, which allows attackers to exploit the padding of a Windows Authenticode signature to gain control of a system.


Microsoft first released this vulnerability in December 2013 and has recently republished guidance and applicability of this vulnerability on modern operating systems like Windows 10 & 11.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866435 – Care Event 1

866458/867061 - IntelliSpace Perinatal 1

867019 – IntelliVue XDS 1

Data Warehouse Connect 1

866009 - IntelliVue Guardian Software 1

866389 - PICix (All Versions) 1

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Windows Common Log File System (CLFS) Advisory (CVE-2023-28252) (2023 April 17)

Publication Date: 2023 April 17

Update Date: 2023 April 24

 

Philips is currently monitoring developments and updates related to a Microsoft Zero-Day vulnerabilityin the Windows Common Log File System (CLFS) CVE-2023-28252. This vulnerability is being actively exploited by cybercriminals to escalate privileges and deploy ransomware payloads. This vulnerability can lead an attacker to gain elevated privileges up to SYSTEM user with little effort.

 

Microsoft has already released a patch for this vulnerability as part of their April security update.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

867173 - VitalSky 1

866389 - PICix (All Versions) 1

866435 – Care Event 1

Data Warehouse Connect 1

863352 – Efficia Central CMS200 2

881001/881030 – IntelliSpace Portal 1

837507 - IntelliSpace PACS 2

881050 - ISP Enterprise 1

839001 – Vue PACS – VuePortal – VueCloud 2

Ambient Expérience 2

Diagnostic Site Server (DSS) 2

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please contact your local service support team.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Protected Extensible Authentication Protocol (PEAP) Advisory (CVE-2023-21701) (2023 March 29)

Publication Date: 2023 March 29

Update Date: 2023 April 17

 

Philips is currently monitoring developments and updates related to a vulnerability (CVE-2023-21701) within the Protected Extensible Authentication Protocol (PEAP), an authentication protocol used in wireless networks and Point-to-point connections. Successful exploitation of this vulnerability could allow a remote attacker to cause a denial of service condition.


Microsoft has already released a patch for this vulnerability as part of their February security update.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Capsule Neurons

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft TPM 2.0 Advisory (CVE-2023-1017) & (CVE-2023-1018) (2023 March 24)

Publication Date: 2023 March 24

Update Date: 2023 March 24

 

Philips is currently monitoring developments and updates related to two vulnerabilities within TPM2.0's Module Library of Microsoft Windows Operating System (CVE-2023-1017) & (CVE-2023-1018). Successful exploitation of CVE-2023-1017 can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context. Successful exploitation of CVE-2023-1018 can allow an attacker to read or access sensitive data stored in the TPM.


Microsoft has already released a patch for these vulnerabilities as part of their March security update.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

867173 - VitalSky 1

866389 - PICix (All Versions) 1

866435 – Care Event 1

Data Warehouse Connect 1

Monitoring as a Service (eMaas) 2

881001/881030 – IntelliSpace Portal 1

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please contact your local service support team.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Remote Procedure Call (RPC) Advisory (CVE-2023-2178) & (CVE-2023-23405) (2023 March 22)

Publication Date: 2023 March 22

Update Date: 2023 April 25

 

Philips is currently monitoring developments and updates related to two critical Remote Code Execution vulnerabilities (CVE-2023-21708) & (CVE-2023-23405) within the Remote Procedure Call Runtime library of Microsoft Windows Operating System. Successful exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to take control of the system.

 

Microsoft has already released a patch for these vulnerabilities as part of their March security update.


As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866435 - CareEvent (B.x/C.x) 1,3

837507 - IntelliSpace PACS 2

784001 – UroNav (3.0, 4.1)

Capsule Neurons

866389 - PICix (All Versions) 1,3

Data Warehouse Connect 1,3

836240 - Universal Data Manager 2

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please contact your local service support team.

3 Information or patch available on Incenter. Please contact your local service support team.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

CISA/FBI Ransomware Cybersecurity Advisory (2023 February 15)

Publication Date: 2023 February 15

Update Date: 2023 February 15

 

Philips is aware of the recent joint CISA, FBI, and HHS Cybersecurity Advisory (CSA) warning healthcare facilities of the risks associated with Ransomware attacks funding Democratic People’s Republic of Korea (DPRK) espionage activities.

This Alert (AA23-040A) highlights the fact that there has been an increase in the number of ransomware attacks that are being used to fund DPRK espionage activities targeting the Healthcare Industry. This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. Philips encourages all customers to visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.

For more information, see: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

VMware ESXi OpenSLP Ransomware Attacks (CVE-2021-21974) - (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 10

 

Philips is aware and is currently monitoring developments and updates related to the recent Ransomware attacks in Europe, exploiting a heap-overflow vulnerability (CVE-2021-21974) within the OpenSLP service found on VMware’s ESXi Hypervisors.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

860426 - IntelliSpace ECG Management System (IECG) 1

837507 – IntelliSpace PACS 2

Trace Master Vue 3.6 1

836240 - Universal Data Manager 2 (UDM)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

1 Software only products with customer owned operating systems.

2 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

 

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Apache Commons Text Advisory (CVE-2022-42889) -Text4Shell (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 09

 

Philips is currently monitoring developments and updates related to the recently released Apache Commons Text advisory concerning a critical vulnerability(CVE-2022-42889) impacting Apache Commons Text Library versions 1.5 through 1.9.

  
In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. 

Apple Security Update - (2023 February 06)

Publication Date: 2023 February 06

Update Date: 2023 February 06 

 

Philips is currently monitoring developments and updates related to the recently released Apple security update that addresses several vulnerabilities in multiple products. Successful exploitation of these vulnerabilities could allow an attacker to take control of the affected device.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

JSON Web Token Advisory (CVE-2022-23529) - (2023 January 17)

Publication Date: 2023 January 17

Update Date: 2023 January 17 

 

Philips is currently monitoring developments and updates related to the recently released critical security vulnerability (CVE-2022-23529) within JSON web token, an open-source JavaScript package that is used for authentication, authorization and for securely exchanging data.


Successful exploitation of this vulnerability could allow an attacker to perform a remote code execution attack. The latest version of JSON web token (9.0.0) is recommended as it includes a fix for the above-mentioned vulnerability.

 
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

  
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.  

Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability - (2023 January 11)

Publication Date: 2023 January 11 

Update Date: 2023 January 11 

 

Philips is currently monitoring developments and updates related to the recent security zero-day vulnerability released by Linux.

 

Linux has released security updates to address a zero-day kernel vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

You are about to visit a Philips global content page

Continue

You are about to visit a Philips global content page

Continue

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.