Publication Date:  February 26, 2018

Update Date:  April 18, 2018

 

As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of a potential system security vulnerability, the company issued a proactive advisory concerning potential issues with Versions 8.0.x and 7.0.x of the Philips IntelliSpace Portal clinical imaging visualization and analysis solution. NOTE: no incidents of security breach have been reported as a result of these potential vulnerabilities. 

 

Upon disclosing the advisory, it was subsequently published by ICS-CERT – Industrial Control Systems Cyber Emergency Response Team (Advisory ICSMA-18-058-02 Release Date: February 27, 2018), consisting of 6 identified potential issues.  

 

Philips is providing you with more detailed information about the nature of the potential issues reported, the assessment of security vulnerabilities related to these issues, and the mitigation plan to address them.

 

Below are the potential issues, as reported, with a brief explanation about the source of the issue, and mitigation plan:

ICS-CERT DESCRIPTION

REASON/RESPONSE

MITIGATION

INFORMATION EXPOSURE CWE-200

The ISP has multiple information exposure vulnerabilities that could allow an attacker to gain unauthorized access to sensitive information.

Follow Philips recommendations on installing Microsoft security updates. 
Verify that MS17-010 -  Security Update for Microsoft Windows SMB Server (4013389) is installed on the ISP system 

PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264

The ISP has multiple permission, privilege and access control vulnerabilities that could allow an attacker to gain unauthorized access and in some cases escalate their level of privilege or execute arbitrary code.

Access permissions and system configuration items should be reconfigured to assure tighter access control

 

Will be addressed in the next Service Pack*

LEFTOVER DEBUG CODE CWE-489

The ISP has a vulnerability where code debugging methods are enabled, which could allow an attacker to remotely execute arbitrary code during runtime.

IMPROPER INPUT VALIDATION CWE-20

The ISP has multiple input validation vulnerabilities that could allow a remote attacker to execute arbitrary code or cause the application to crash.

UNQUOTED SEARCH PATH OR ELEMENT CWE-428

An unquoted search path or element vulnerability has been identified, which may allow an authorized local user to execute arbitrary code and escalate their level of privileges.

Parts of ISP legacy code is based on previous software security standards. Current software practices will be in line with updated security standards
Will be addressed in the next Service Pack*
Will be addressed in the next Service Pack*
Will be addressed in the next Service Pack*

CRYPTOGRAPHIC ISSUES CWE-310

The ISP has multiple cryptographic vulnerabilities that could allow an attacker to gain unauthorized access to resources and information

  1. Current ISP versions implement legacy encryption protocols.  Next ISP service pack will include updated cryptographic protocols.
  2. Customers shall use purchased or generated cryptographic certificate.

 

  1. Software-related issues will be addressed in the next Service Pack
  2. Make sure appropriate certificate is purchased or generated, and installed on the ISP system

*Philips is actively developing and planning to issue software updates to mitigate these potential issues:

• ISP 7.0 Corrective Version (Service Pack 4) is planned to be released by end-June, 2018

• ISP 8.0 Corrective Version (Service Pack 3) is planned to be released by end-December, 2018

 

Due to the nature of these issues, Philips recommends you follow the guidelines provided here:

1. To address INFORMATION EXPOSURE CWE-200 (High Risk) - Verify that MS17-010 -  Security Update for Microsoft Windows SMB Server (4013389) is installed on the ISP system.  

2. Due to the low probability and severity of compromise (risk assessment) of the other possible issues, Philips’ recommendation is to continue using the system until a corrective version/service pack is provided.

 

Customers with questions regarding their specific IntelliSpace Portal installations are advised by Philips to contact their local Philips service support team or their regional service support. Philips contact information is available at the following location: 

https://www.usa.philips.com/healthcare/solutions/customer-service-solutions