OTPulse
FeedAboutContact

Philips EncoreAnywhere

Monitor5.9ICS-CERT ICSMA-18-137-02May 17, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Philips EncoreAnywhere versions 2.36.3.3 and earlier fail to encrypt remote access communications, allowing unencrypted transmission of sensitive data between remote users and the EncoreAnywhere server. Successful exploitation allows an attacker on the network path to passively intercept and read this traffic without authentication. Philips has not released a full fix and states mitigation improvements will be available by September 2018.

What this means
What could happen
An attacker could intercept and read unencrypted communications from EncoreAnywhere remote access sessions, potentially exposing sensitive patient or operational data transmitted between remote users and clinical systems.
Who's at risk
Healthcare organizations using Philips EncoreAnywhere for remote clinical system access and support. This affects remote desktop and remote support services used by biomedical engineers, IT support staff, and potentially clinicians connecting from external locations.
How it could be exploited
An attacker with network access to communications between a remote user and the EncoreAnywhere server could passively intercept and read unencrypted traffic. This requires positioning on the network path (network access, not direct interaction with the device) and the ability to decrypt or analyze the unencrypted protocol.
Prerequisites
  • Network access to communications channel between remote client and EncoreAnywhere server
  • Ability to position on network path (man-in-the-middle position) or intercept traffic
  • No credentials required to read unencrypted traffic
Remotely exploitableNo authentication required to intercept unencrypted dataNo patch available from vendorAffects confidentiality of clinical data
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EncoreAnywhere APAC: <= 2.36.3.3≤ 2.36.3.3No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/4
HARDENINGNetwork segmentation: Isolate EncoreAnywhere and clinical system networks from the business network and Internet
HARDENINGImplement firewall rules to restrict EncoreAnywhere access to authorized networks only; block direct Internet access
HARDENINGRequire VPN with current encryption for all remote EncoreAnywhere access; verify VPN clients and endpoints are fully patched
WORKAROUNDMonitor for and block unencrypted EncoreAnywhere connections on your network
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview and test network monitoring and detection for suspicious traffic patterns on remote access connections
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7f9f0614-8319-4104-937f-8596ce70cb8c
Philips EncoreAnywhere | CVSS 5.9 - OTPulse