Medical device manufacturer,Philips Healthcare has initiated a medical device field correction action concerning all Xper information management system components and Calysto system components installed after January 2008.
Philips Healthcare has become aware that certain default passwords loaded on a number of our devices at the factory have been recently disclosed to the general public by security researchers. If passwords for the workstation or server hosting the software are unchanged following installation, there exists the possibility of access to the operating system of the device. This could enable an unauthorized user to gain control of the operating system of the workstation and server supporting the patient monitoring system.
The security researchers also demonstrated a network based heap overflow vulnerability in the Xper Connect broker component on port 6000 of the device. Although the exploit code has not been publicly disclosed, Philips Healthcare is currently working on resolutions to this issue. As a temporary measure, this port can be safely firewalled to eliminate any immediate threat.
The manufacturer advises users to alert the service account(s) per the facility IT security protocols and contact the local Philips service organization to let them know about any changes to the service account the users may have alerted or created.
According to the local supplier, the affected products were distributed in Hong Kong.
If you are in possession of the affected product, please contact your supplier for necessary actions.
Posted on 7 March 2013