Publication Date: August 14, 2018
Update Date: August 14, 2018
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
As part of Philips’ Coordinated Vulnerability Disclosure Policy and aligned with U.S. FDA Post-Market Guidance requirements for the awareness and remediation of potential system security vulnerabilities, the company will issue an advisory in cooperation with U.S. DHS/ICS-CERT concerning possible issues with the Philips IntelliSpace Cardiovascular (ISCV) and Xcelera.
Philips has confirmed the findings of a customer submitted complaint of vulnerabilities affecting the Philips IntelliSpace Cardiovascular system version 2.3.1. Philips analysis also confirmed that 3.1 and earlier of the Philips IntelliSpace Cardiovascular system and version 4.x and 3.x of Xcelera are affected as well:
- In ISCV version 2.x and earlier and Xcelera 4.x and 3.x the servers contain 20 Windows services of which the executables are being present in a folder where authenticated users have write permissions. The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions.
- In ISCV version 3.x and earlier and Xcelera 4.x and 3.x there are 16 Windows services that do not have quotes in the path name. These services are running with local admin rights, and are initiated with a registry key. This path may permit a user to place an executable that provides local admin rights.
If a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions.
Impact / Risk:
The issue occurs only if an authenticated user (without admin privileges) is able to access the ISCV/Xcelera servers locally. By default, this is disabled, since only administrators have the ability access to the ISCV/Xcelera servers locally.
Mitigation / Workaround:
Both vulnerabilities can be mitigated by changing Windows settings. Instructions on how to change these settings are provided in attached Service Bulletin: ISCV and Xcelera Windows services vulnerabilities. This Service Bulletin is also available on InCenter.
Philips will fix this issue in the next software update: IntelliSpace Cardiovascular 3.2.0, to be released in October 2018. This version will be announced and become available to customers via the regular communication and distribution channels.
At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities.
Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. Philips has taken the lead in creating a Coordinated Vulnerability Disclosure policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner.
Customers with questions regarding their specific Philips IntelliSpace Cardiovascular (ISCV) and Xcelera installations are advised to contact their local Philips service support team or their regional service support.