Philips Fixes 648 Holes in Xper-IM Connect

Thursday, July 14, 2016 @ 03:07 PM gHale


Philips identified 648 vulnerabilities with an automated software composition analysis tool in its Xper-IM Connect system running on Windows XP and they can end up fixed by upgrading the affected system to a newer version of Windows and installing Philips’ new software version, according to a report with ICS-CERT.

An independent third-party organization has tested the upgraded system with the new software version applied to validate it resolves the reported remotely exploitable vulnerabilities.

RELATED STORIES
Honeywell Updates Uniformance Fix
GE Clears Proficy Vulnerability
WECON Working on LeviStudio Fixes
Moxa Vulnerability on Discontinued Line

Independent researchers Mike Ahmadi of Synopsys and Billy Rios of Whitescope LLC, in collaboration with Philips, discovered the vulnerabilities.

Exploits that target these vulnerabilities are publicly available.

Xper-IM Connect system running Windows XP, Version 1.5.12 and prior versions suffer from the issues.

Successful exploitation of these vulnerabilities may allow a remote attacker to compromise the Xper-IM Connect system.

Philips is a global company that maintains offices in several countries around the world, including countries in Africa, Asia, Europe, Latin America, Middle East, and North America.

The affected product, Windows XP-based Xper-IM Connect system, provides physiomonitoring capabilities along with reporting, scheduling, inventory, and intelligent data management. Xper-IM Connect sees action across the healthcare and public health sector. Philips estimates these products see use primarily in the United States and Europe with a small percentage in Asia.

The Philips Xper-IM Connect system running on Windows XP, Version 1.3.0.065, ended up tested and determined to have 460 vulnerabilities. Philips confirmed 272 of these vulnerabilities are present in five software packages in the Xper-IM Connect system software, and 188 vulnerabilities are with the no longer supported Windows XP operating system. All the 460 vulnerabilities with assigned CWEs numbers can end up categorized as one of the following five types of vulnerabilities: 1) Code Injection, 2) Resource Management Errors, 3) Information Exposure, 4) Numeric Errors, and 5) Improper Restriction of Operations within the Bounds of a Memory Buffer.

The breakdown of vulnerabilities by CVSS score are as follows:
• 360 vulnerabilities had a CVSS base score of 7.0-10.0
• 100 vulnerabilities had a CVSS base score of 4.0-6.9

An attacker with a low skill would be able to exploit these vulnerabilities.

Philips said the Xper-IM Connect system, running on the no longer supported Windows XP operating system, can end up upgraded to Windows 2008-R2, which will address the Windows‑related vulnerabilities.

In addition, the vulnerabilities associated with the Xper-IM Connect system software end up mitigated in Philips’ new software version, Version 1.5, Service Pack 13. Philips said all the reported vulnerabilities end up mitigated by upgrading to the newer version of Windows and applying the new software version.

Philips recommends all Xper-IM Connect users should contact Philips for specific instructions or services to upgrade to the Windows 2008-R2 operating system and to acquire software Version 1.5 Service Pack 13. Philips encourages users to use only Philips-validated and authorized changes for the Xper-IM Connect system supported by Philips authorized personnel or under Philips explicit published directions for product patches, upgrades, or releases.

Users with questions regarding their specific Xper-IM installations should contact their local Philips service support team or their regional Xper IM service support at:
• Service support for North America, 1 800 669 1328 (or +1 321 253 5693)
• Service support for Asia, +852 2821 5888
• Service support for Europe, Middle East, and Africa, +49 7031 463 2254
• Service support for Latin America, +55 11 2125 0744
• Service support for Canada, 1 800 291 6743

Philips recommends all users with and without service contracts reference the product instructions for use for practical guidance toward maintaining their role in an effective product security partnership with Philips. Users should also contact their local service support team to discuss any needed guidance or services.