Publication Date: 2021 February 09 

Update Date:  2021 February 15

 

Philips is currently monitoring developments and updates related to the recent Microsoft alert concerning a set of fixes affecting Windows TCP/IP implementation that includes two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086).

 

The three TCP/IP security vulnerabilities impact computers running Windows client and server versions starting with Windows 7 and higher. According to Microsoft, of the three vulnerabilities, the CVE-2021-24086 flaw is most likely to be exploited for orchestration of denial-of-service attacks that cause a STOP error with a Blue Screen of Death in Windows OS.


The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are less likely to be exploited in the short term. However, researchers at Microsoft believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, Microsoft recommends customers move quickly to apply Windows security updates as soon as possible. These vulnerabilities result from a flaw in Microsoft’s implementation of TCP/IP and affect all Windows versions. 

 

Microsoft has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. 

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.