Publication Date: 2021 June 24
Update Date: 2021 June 24
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible security vulnerabilities, the company is proactively issuing an advisory regarding a potential issue related to the certain versions of Philips Interoperability Solutions XDS (Software Versions 2.5 to 3.11 and 2018-1 to 2021-1).
Philips has identified a potential low-severity security vulnerability that requires a high skill level to exploit, and for which there are no known public exploits available. A highly motivated attacker can read the Lightweight Directory Access Protocol (LDAP) system credentials by gaining access to the network channel being used for communication. Should this occur, clear text transmission of sensitive information risk applies to configurations which are configured to use LDAP via Transport Layer Security (TLS).
To minimize the potential risk of these vulnerabilities, Philips has identified the following guidance and mitigations:
- Administrators should disable LDAP referrals on their LDAP servers if LDAP via TLS is used.
- Administrators should configure their LDAP servers to include a complete structure to search.
The Philips software is not be used for clinical use nor rated as a medical device; therefore, this potential vulnerability would not impact patient safety.
Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.
Users with questions regarding their specific Interoperability Solutions XDS installations are advised by Philips to contact their local Philips service support team. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions or call 1-800-722-9377
Publication on Cybersecurity & Infrastructure Security Agency (CISA) website: https://us-cert.cisa.gov/ics/advisories/icsma-21-175-01