CVE-2020-16224

Philips Patient Monitoring Devices Improper Handling of Length Parameter Inconsistency

Description

In Patient Information Center iX (PICiX) Versions C.02, C.03, the software parses a formatted message or structure but does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data, causing the application on the surveillance station to restart.

Remediation

Solution:

  • Philips released the following versions to remediate reported vulnerabilities: * Patient Information Center iX (PICiX) Version C.03 * Certificate revocation within the system was implemented for PIC iX.

Workaround:

  • As a mitigation to these vulnerabilities, Philips recommends the following: * The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses. Refer to the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter https://incenter.medical.philips.com/ . * By default, the simple certificate enrollment protocol (SCEP) service is not running. When needed, the service is configured to run based on the duration or the number of certificates to be assigned. One certificate is default, but if a certificate is not issued, the service will continue to run. Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices. * When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits. * Implement physical security controls to prevent unauthorized login attempts on the PIC iX application. Servers should be kept in controlled locked data centers. Access to equipment at nurses’ stations should be controlled and monitored. * Only grant remote access to PIC iX servers on a must-have basis. * Grant login privileges to the bedside monitor and PIC iX application on a role-based, least-privilege basis, and only to trusted users. Users with questions regarding their specific Philips Patient Information Center (PIC iX) and/or IntelliVue patient monitor installations and new release eligibility should contact their local Philips service support team, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377. Please see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.07%
Third-Party Advisory cisa.gov
Affected: Philips Patient Information Center iX (PICiX)
Published at:
Updated at:

References

Link Tags
https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01 third party advisory us government resource
https://www.philips.com/productsecurity

Frequently Asked Questions

What is the severity of CVE-2020-16224?
CVE-2020-16224 has been scored as a medium severity vulnerability.
How to fix CVE-2020-16224?
To fix CVE-2020-16224: Philips released the following versions to remediate reported vulnerabilities: * Patient Information Center iX (PICiX) Version C.03 * Certificate revocation within the system was implemented for PIC iX.
Is CVE-2020-16224 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-16224 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-16224?
CVE-2020-16224 affects Philips Patient Information Center iX (PICiX).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.