On Thursday researchers Mike Ahmadi of Synopsys and Billy Rios of WhiteScope disclosed 460 vulnerabilities in Philips Xper Connect, an optional bidirectional hospital information system (HIS) interface. 272 of these vulnerabilities they said are present in five software packages in the Xper IM Connect system software. 188 of the vulnerabilities are associated with Windows XP operating system, which is no longer supported by Microsoft.
According to the Philips product webpage (now removed), “the Xper Connect family boasts more than 1,000 interface installations* with ADT, query ADT, billing, orders, inventory, labs, results, and discrete clinical data.”
Exploitation of these vulnerabilities may allow a remote attacker to compromise an Xper IM Connect system running Windows XP, Version 1.5.12 and prior versions. A breakdown of the vulnerabilities by Common Vulnerability Scoring System (CVSS) are as follows:
360 vulnerabilities were identified as having a CVSS base score of 7.0 to 10.0, and
100 vulnerabilities were identified as having a CVSS base score of 4.0 to 6.9.
Philips says that all the identified vulnerabilities can be addressed by upgrading the affected system to the Windows 2008-R2 operating system and to acquire software Version 1.5 Service Pack 13.
In March, Ahmadi and Rios identified 1,418 vulnerabilities in the CareFusion Pyxis SupplyStation. In that case, the product had been discontinued. In this case, there are more than 1,000 interface installations with ADT, query ADT, billing, orders, inventory, labs, results, and discrete clinical data, according to Philips.
For both vulnerability discoveries, the researchers used Black Duck Binary Analysis (formerly Protecode/AppCheck).
Here is the official advisory from ICS-CERT.