-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1754
                  Philips Xper-IM Connect Vulnerabilities
                               15 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Philips Xper-IM Connect
Operating System:  Windows XP
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01

Comment: Proof of concept code is publicly available.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-16-196-01)

Philips Xper-IM Connect Vulnerabilities

Original release date: July 14, 2016

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

Independent researchers Mike Ahmadi of Synopsys and Billy Rios of Whitescope 
LLC, in collaboration with Philips, have identified numerous vulnerabilities 
with an automated software composition analysis tool in the Philips Xper-IM 
Connect system running on Windows XP. Philips reports that the identified 
vulnerabilities can be addressed by upgrading the affected system to a newer 
version of Windows and installing Philips new software version. An independent
third-party organization has tested the upgraded system with the new software
version applied to validate that it resolves the reported vulnerabilities.

These vulnerabilities could be exploited remotely.

Exploits that target these vulnerabilities are known to be publicly available.

AFFECTED PRODUCTS

The following Philips Xper-IM Connect versions are affected:

Xper-IM Connect system running Windows XP, Version 1.5.12 and prior versions.

IMPACT

Successful exploitation of these vulnerabilities may allow a remote attacker 
to compromise the Xper-IM Connect system.

Impact to individual organizations depends on many factors that are unique to
each organization. NCCIC/ICS-CERT recommends that organizations evaluate the 
impact of these vulnerabilities based on their operational environment and 
specific clinical usage. BACKGROUND

Philips is a global company that maintains offices in several countries around
the world, including countries in Africa, Asia, Europe, Latin America, Middle
East, and North America.

The affected product, Windows XP-based Xper-IM Connect system, provides 
physiomonitoring capabilities along with reporting, scheduling, inventory, and
intelligent data management. According to Philips, Xper-IM Connect is deployed
across the Healthcare and Public Health sector. Philips estimates that these 
products are used primarily in the United States and Europe with a small 
percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

The Philips Xper-IM Connect system running on Windows XP, Version 1.3.0.065, 
was tested and determined to have 460 vulnerabilities. Philips has confirmed 
that 272 of these vulnerabilities are present in five software packages in the
Xper-IM Connect system software, and 188 vulnerabilities are associated with 
the no longer supported Windows XP operating system. All the 460 
vulnerabilities with assigned CWEs numbers can be categorized as one of the 
following five types of vulnerabilities: 1) Code Injection, [a] 2) Resource 
Management Errors, [b] 3) Information Exposure, [c] 4) Numeric Errors, [d] and 5) 
Improper Restriction of Operations within the Bounds of a Memory Buffer. [e]

The breakdown of vulnerabilities by CVSS score are as follows:

360 vulnerabilities were identified as having a CVSS base score of 7.0-10.0, 
and

100 vulnerabilities were identified as having a CVSS base score of 4.0-6.9.

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

Exploits that target these vulnerabilities are publicly available.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Philips reports that the Xper-IM Connect system, running on the no longer 
supported Windows XP operating system, can be upgraded to Windows 2008-R2, 
which will address the Windowsrelated vulnerabilities. In addition, the 
vulnerabilities associated with the Xper-IM Connect system software are 
addressed by Philips new software version, Version 1.5, Service Pack 13. 
Philips reports that all the reported vulnerabilities are mitigated by 
upgrading to the newer version of Windows and applying the new software 
version.

Philips recommends that all Xper-IM Connect users should contact Philips for 
specific instructions or services to upgrade to the Windows 2008-R2 operating
system and to acquire software Version 1.5 Service Pack 13. Philips encourages
users to use only Philips-validated and authorized changes for the Xper-IM 
Connect system supported by Philips authorized personnel or under Philips 
explicit published directions for product patches, upgrades, or releases.

Users with questions regarding their specific Xper-IM installations should 
contact their local Philips service support team or their regional Xper IM 
service support at:

Service support for North America, 1 800 669 1328 (or +1 321 253 5693);

Service support for Asia, +852 2821 5888;

Service support for Europe, Middle East, and Africa, +49 7031 463 2254;

Service support for Latin America, +55 11 2125 0744; and

Service support for Canada, 1 800 291 6743.

Philips highly recommends that all users with and without service contracts 
reference the product instructions for use for practical guidance toward 
maintaining their role in an effective product security partnership with 
Philips. Users should also contact their local service support team to discuss
any needed guidance or services.

ICS-CERT recommends that users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

Ensure that nonproduct-related software packages, such as email and web 
browser software, are not installed on medical devices, as they could contain
vulnerabilities, malware, and broaden the attack surface, which could impact 
the intended function of the device.

Minimize network exposure for all medical devices and/or systems, and ensure 
that they are not accessible from the Internet.

Locate all medical devices and remote devices behind firewalls, and isolate 
them from the business network.

When remote access is required, use secure methods, such as Virtual Private 
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize that VPN is only
as secure as the connected devices.

ICS-CERT also provides a section for security recommended practices on the 
ICS-CERT web page at 
http://ics-cert.us-cert.gov/content/recommended-practices. ICS-CERT reminds 
organizations to perform proper impact analysis and risk assessment prior to 
deploying defensive measures.

Additional mitigation guidance and recommended practices are publicly 
available in the ICSCERT Technical Information Paper, 
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT web site 
(http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

a. CWE-94: Improper Control of Generation of Code ('Code Injection'), 
http://cwe.mitre.org/data/definitions/94.html, web site last accessed July 14,
2016.

b. CWE-399: Resource Management Errors, 
http://cwe.mitre.org/data/definitions/399.html, web site last accessed July 
14, 2016.

c. CWE-200: Information Exposure, 
http://cwe.mitre.org/data/definitions/200.html, web site last accessed July 
14, 2016.

d. CWE-189: Numeric Errors, http://cwe.mitre.org/data/definitions/189.html, 
web site last accessed July 14, 2016.

e. CWE-119: Improper Restriction of Operations within the Bounds of a Memory 
Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed
July 14, 2016.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov (link sends e-mail)

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 
http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 
product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV4hsZ4x+lLeg9Ub1AQicFQ/8CZjN05tV2Kk/am9PERUU2p4Etop3R54V
Cy2wziaMz7CvJUjFJJHWwom5Hs+HHQelIoUk3In204U0zeFb0egW9szclFPPPC8m
35iq5fFVhs4hf2iq/ReJoiYu2HkoNPF2Y6jwCgDbmazQ3WT9/oPb6M1tLjOQCLDv
AQqpJYnHwv1Ma9DRkzJgjHm6yUP+LHm0XidDzBHSe0kG/g1lJEL1bdeiwPwa50s7
1lcGOnJ/2aaSQVA+Q1xBUyBXET3M3gFb3X/w4BYEiBrrNMarqwFCN2Qlz1n3D6D5
xaRxzZASnZPejkk4K9Y/HPyIeq2kcyqcLMq6w9xqLbJtW0+E3wNgqa7i4y5B2ZER
/mlo9CX4d/DmB9hi+D3RkhQjCU8CN6CqcBaaSiIzOxDSLpWnFqjd1CgGEwdnHKxl
MiDR7h+XybMv+0k6K/MmoGP5luT17i5FOfKdoWGKccFbXGjYnKcfL3P0mfjv/maC
V5yCIzBLT8IAjmyU9JLpefAjh2aI88UHIX/ArcFuFVVuhQ1XQLcirG7JtcqQ4VS6
3Gp1kFZ2OqWLLHBbIyuBGq98f55kRzJWpStqSxtkVbfEMzDuY3Rr6xnNqjGgcn79
v7DyJXTwGHb2NFgcWjk/gQZN4/9OyrWLdeMzw+wXHIOj+vayZbAvSm9tNUxCBLTC
ebRj7OnSbpg=
=sfUH
-----END PGP SIGNATURE-----