Publication Date: November 13, 2017
Update Date: November 13, 2017
Philips has confirmed testing observations submitted into Philips by a Philips customer that the ISCV application (version 220.127.116.11) contains a security vulnerability that under certain specific conditions may result in the storage of username and password credentials in clear text within one or more unencrypted system log files, configuration files, or backup files. Philips has further identified that certain conditions of the same security vulnerability also affect potentially all product versions of Philips ISCV (2.3.0 and earlier) and Xcelera (R4.1L1 and earlier).
Philips has received no reports of exploitation of these vulnerabilities or incidents from systems in clinical use that we have been able to associate with this problem.
To remediate this vulnerability, Philips initiates a voluntary medical device correction targeted to be issued for all ISCV systems affected by this vulnerability. Philips is producing software updates for all ISCV and latest Xcelera versions, some of which are available upon request at the time of this advisory (ISCV 1.x, 2.2) for install while other versions are in process of development to be completed by end of 2017. As ISCV updates become available, they are being aligned into a proactive field change order (reference FCO83000202) for Philips to communicate and remediate the identified vulnerability conditions for affected customers.
Customers with questions regarding their specific ISCV or Xcelera installation should contact their local Philips service support team or their regional service support.
In alignment with Philips’ Responsible Disclosure Policy and U.S. FDA Post-Market requirements, Philips worked with the customer who submitted the vulnerability observation and appropriate government agencies to draft and distribute a public security advisory concerning these vulnerabilities.