Publication Date: 13 October 2020 

Update Date: 20 November 2020
 

Philips is currently monitoring developments and updates related to the Microsoft CVE-2020-16898 security advisory issued on 13 October 2020. The advisory highlighted a remote code execution vulnerability that affects multiple versions of the Windows 10 and Windows Server operating systems. This vulnerability, also referred to as “Bad Neighbor”, resides in the way Windows handles ICMPv6 Router Advertisement packets, and could allow a remote attacker to execute code on an affected system.
 

As part of product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further possible actions as needed.

 

Microsoft provided a security update. Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options. According to Microsoft, to exploit the vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. As the advisory is updated by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
 

Begin Update B: 20 November 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-16898. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Affiniti 30/50/70
eICU eCare Manager*     
IntelliSpace Critical Care and Anesthesia (ICCA) (Versions: H.x/J.x)*
ClearVue
Epiq 5/7
IntelliSpace Portal Workstation 11.0**
CX50
Hemodynamic Application v1.1.x, 1.2.x
IntelliVue Guardian Software (Versions: E.0x)*
DoseWise Portal
Holter Recorder DigiTrak XT (DTXT) v3.0.3*
Sparq
EchoNavigator v3.0.3
IntelliSpace Connect***
ST80i A.02 v2.05*

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

 

End Update B

 

Begin Update A: 11 November 2020
 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-16898. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Affiniti 30/50/70
EchoNavigator v3.0.3
IntelliSpace Connect
ClearVue
Epiq 5/7
IntelliSpace Portal Workstation 11.0**
CX50
Hemodynamic Application v1.1.x, 1.2.x
Sparq
DoseWise Portal
Holter Recorder DigiTrak XT (DTXT) v3.0.3*
ST80i A.02 v2.05*

*Software only products with customer owned Operating Systems

**Information or patch available in Incenter

***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure

 

End Update A