Philips Xper-IM Connect Vulnerabilities
ICSA： ICS Advisory (ICSMA-16-196-01)
Independent researchers Mike Ahmadi of Synopsys and Billy Rios of Whitescope LLC, in collaboration with Philips, have identified numerous vulnerabilities with an automated software composition analysis tool in the Philips Xper-IM Connect system running on Windows XP. Philips reports that the identified vulnerabilities can be addressed by upgrading the affected system to a newer version of Windows and installing Philips’ new software version. An independent third-party organization has tested the upgraded system with the new software version applied to validate that it resolves the reported vulnerabilities.
These vulnerabilities could be exploited remotely.
Exploits that target these vulnerabilities are known to be publicly available.
The following Philips Xper-IM Connect versions are affected:
- Xper-IM Connect system running Windows XP, Version 1.5.12 and prior versions.
Successful exploitation of these vulnerabilities may allow a remote attacker to compromise the Xper-IM Connect system.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
Philips is a global company that maintains offices in several countries around the world, including countries in Africa, Asia, Europe, Latin America, Middle East, and North America.
The affected product, Windows XP-based Xper-IM Connect system, provides physiomonitoring capabilities along with reporting, scheduling, inventory, and intelligent data management. According to Philips, Xper-IM Connect is deployed across the Healthcare and Public Health sector. Philips estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.
The Philips Xper-IM Connect system running on Windows XP, Version 1.3.0.065, was tested and determined to have 460 vulnerabilities. Philips has confirmed that 272 of these vulnerabilities are present in five software packages in the Xper-IM Connect system software, and 188 vulnerabilities are associated with the no longer supported Windows XP operating system. All the 460 vulnerabilities with assigned CWEs numbers can be categorized as one of the following five types of vulnerabilities: 1) Code Injection,a 2) Resource Management Errors,b 3) Information Exposure,c 4) Numeric Errors,d and 5) Improper Restriction of Operations within the Bounds of a Memory Buffer.e
The breakdown of vulnerabilities by CVSS score are as follows:
- 360 vulnerabilities were identified as having a CVSS base score of 7.0-10.0, and
- 100 vulnerabilities were identified as having a CVSS base score of 4.0-6.9.
These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities are publicly available.
An attacker with a low skill would be able to exploit these vulnerabilities.
Philips reports that the Xper-IM Connect system, running on the no longer supported Windows XP operating system, can be upgraded to Windows 2008-R2, which will address the Windows‑related vulnerabilities. In addition, the vulnerabilities associated with the Xper-IM Connect system software are addressed by Philips’ new software version, Version 1.5, Service Pack 13. Philips reports that all the reported vulnerabilities are mitigated by upgrading to the newer version of Windows and applying the new software version.
Philips recommends that all Xper-IM Connect users should contact Philips for specific instructions or services to upgrade to the Windows 2008-R2 operating system and to acquire software Version 1.5 Service Pack 13. Philips encourages users to use only Philips-validated and authorized changes for the Xper-IM Connect system supported by Philips authorized personnel or under Philips explicit published directions for product patches, upgrades, or releases.
Users with questions regarding their specific Xper-IM installations should contact their local Philips service support team or their regional Xper IM service support at:
- Service support for North America, 1 800 669 1328 (or +1 321 253 5693);
- Service support for Asia, +852 2821 5888;
- Service support for Europe, Middle East, and Africa, +49 7031 463 2254;
- Service support for Latin America, +55 11 2125 0744; and
- Service support for Canada, 1 800 291 6743.
Philips highly recommends that all users with and without service contracts reference the product instructions for use for practical guidance toward maintaining their role in an effective product security partnership with Philips. Users should also contact their local service support team to discuss any needed guidance or services.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Ensure that nonproduct-related software packages, such as email and web browser software, are not installed on medical devices, as they could contain vulnerabilities, malware, and broaden the attack surface, which could impact the intended function of the device.
- Minimize network exposure for all medical devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for security recommended practices on the ICS-CERT web page at http://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-94: Improper Control of Generation of Code ('Code Injection'), http://cwe.mitre.org/data/definitions/94.html, web site last accessed July 14, 2016.
- b. CWE-399: Resource Management Errors, http://cwe.mitre.org/data/definitions/399.html, web site last accessed July 14, 2016.
- c. CWE-200: Information Exposure, http://cwe.mitre.org/data/definitions/200.html, web site last accessed July 14, 2016.
- d. CWE-189: Numeric Errors, http://cwe.mitre.org/data/definitions/189.html, web site last accessed July 14, 2016.
- e. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed July 14, 2016.