Publication Date: August 1, 2019
Update Date: October 1, 2019

 

Philips is aware of recently-published findings collaborated on by Armis (security researchers) and Wind River regarding security vulnerabilities identified within components of the TCP/IP network stack (IPnet) that have been integrated within certain operating systems, including specific versions of Wind River’s VxWorks.  VxWorks is a real-time operating system used in over 2 billion embedded systems that include medical devices, routers, VOIP phones and mission-critical infrastructure equipment.

 

The collection of vulnerabilities, which the Armis security research firm refers to as "Urgent/11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, five are deemed critical. Successful exploitation of this vulnerability could allow an unauthorized user to execute arbitrary code on the target system. An unauthorized user could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Philips is currently monitoring developments and updates related to recently published advisories (US FDA advisory click here, US DHS ICS advisory ICSA-19-274-01 click here) concerning the reported 11 CVEs referred to as Urgent/11. In the advisories, there are several versions of VxWorks listed as not vulnerable, which Philips has taken into consideration for product evaluation and analysis.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing VxWorks and other components that may potentially have an exposure to the TCP/IP (IPnet) reported vulnerabilities for potential impacts and validating actions. Philips is also monitoring for OS updates related to these vulnerabilities and evaluating further actions or updates to potentially affected Philips products. VxWorks has released patches to help remediate these vulnerabilities. Philips is currently in the process of evaluating these patches.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise)  are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.

 

Begin Update D: September 11, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)**
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update D

 

Begin Update C: August 15, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

Achieva and Achieva 3.0T (R5.3, R5.4 and higher)***
GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Ingenia (R4, R5.3, R5.4 and higher)***
Multiva (R5.3, R5.4)***
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Multiva/Prodiva (R5.4)***
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update C

 

Begin Update B: August 8, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

 

Update B supersedes products listed in Update A as they were determined to be running non-vulnerable versions of VxWorks.

GEOPC (Component of Allura & Azurion) ***
HDI 3000 ****
HDI 3500 ****
Smart-hopping Access Point Controller (for MX40 and Telemetry products)
Zenition**

**Information or patch available in Incenter

*** Vulnerability is TCP/IP related and these are not network connected

**** End of Life (EoL)

 

End Update B

Begin Update A: August 2, 2019

 

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to Urgent/11. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.

<Reference table in Update B>

 

**Information or patch available in Incenter

End Update A