ESB-2017.2157 - [Appliance] Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI: Multiple vulnerabilities 2017-08-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2157
              Abbott Laboratories Accent/Anthem, Accent MRI,
        Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
                              30 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Abbott Laboratories Accent/Anthem
                   Abbott Laboratories Accent MRI
                   Abbott Laboratories Assurity/Allure
                   Abbott Laboratories Assurity MRI
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12716 CVE-2017-12714 CVE-2017-12712

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-17-241-01)

Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity 
MRI Pacemaker Vulnerabilities

Original release date: August 29, 2017

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories 
(formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch 
to help mitigate the identified vulnerabilities in their pacemakers that 
utilize radio frequency (RF) communications. A third-party security research 
firm has verified that the new firmware version mitigates the identified 
vulnerabilities.

The Food and Drug Administration (FDA) released a safety communication on 
August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities 
Identified in Abbotts (formerly St. Jude Medicals) Implantable Cardiac 
Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities
and corresponding mitigation. In response, ICS-CERT is releasing this advisory
to provide additional detail to patients and healthcare providers.

AFFECTED PRODUCTS

The following pacemakers manufactured prior to August 28, 2017, are affected:

Accent/Anthem,

Accent MRI,

Assurity/Allure, and

Assurity MRI.

IMPACT

Successful exploitation of these vulnerabilities may allow a nearby attacker 
to gain unauthorized access to a pacemaker and issue commands, change 
settings, or otherwise interfere with the intended function of the pacemaker.

BACKGROUND

Abbott is a US-based company headquartered in Abbott Park, Illinois.

The affected pacemakers are implantable medical devices designed to deliver 
electrical pulses to correct a slow heartbeat or no heartbeat at all. 
According to Abbott, these pacemakers are deployed across the Healthcare and 
Public Health sector. Abbott indicates that these products are used worldwide;
however, Accent and Anthem are no longer sold in the US.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER AUTHENTICATION[a]

The pacemaker's authentication algorithm, which involves an authentication key
and time stamp, can be compromised or bypassed, which may allow a nearby 
attacker to issue unauthorized commands to the pacemaker via RF 
communications.

CVE-2017-12712[b] has been assigned to this vulnerability. A CVSS v3 base 
score of 7.5 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).[c]

IMPROPER RESTRICTION OF POWER CONSUMPTION[d]

The pacemakers do not restrict or limit the number of correctly formatted RF 
wake-up commands that can be received, which may allow a nearby attacker to 
repeatedly send commands to reduce pacemaker battery life.

CVE-2017-12714[e] has been assigned to this vulnerability. A CVSS v3 base 
score of 5.3 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).[f]

MISSING ENCRYPTION OF SENSITIVE DATA[g]

The Accent and Anthem pacemakers transmit unencrypted patient information via
RF communications to programmers and home monitoring units. The Assurity and 
Allure pacemakers do not contain this vulnerability. Additionally, the Accent
and Anthem pacemakers store the optional patient information without 
encryption; however, the Assurity and Allure pacemakers encrypt stored patient
information.

CVE-2017-12716[h] has been assigned to this vulnerability. A CVSS v3 base 
score of 3.1 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).[i]

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited via an adjacent network. 
Exploitability is dependent on an attacker being sufficiently close to the 
target pacemaker as to allow RF communications.

EXISTENCE OF EXPLOIT

Exploitation of vulnerabilities has been publicly demonstrated; however, 
exploit code is not publicly available.

DIFFICULTY

An attacker with high skill would be able to exploit these vulnerabilities.

MITIGATION

Abbott has developed a firmware update to help mitigate the identified 
vulnerabilities. The version numbers of the firmware update for each product 
family are as follows:

Accent/Anthem, Version F0B.0E.7E,

Accent MRI/Accent ST, Version F10.08.6C,

Assurity/Allure, Version F14.07.80, and

Assurity MRI, Version F17.01.49.

The pacemaker firmware update will implement RF wake-up protections and limit
the commands that can be issued to pacemakers via RF communications. 
Additionally the updated pacemaker firmware will prevent unencrypted 
transmission of patient information (Accent and Anthem only). The firmware 
update can be applied to an implanted pacemaker via the Merlin PCS Programmer
by a healthcare provider. It is recommended that healthcare providers discuss
this update with their patients and carefully consider the potential risk of a
cybersecurity attack along with the risk of performing a firmware update. 
Implementation of the firmware update is to be determined based on the 
physician's professional judgment and patient management considerations. 
Pacemakers manufactured beginning August 28, 2017, will have this update 
preloaded on devices.

Abbott states that firmware updates should be approached with caution. Like 
any software update, firmware updates can cause devices to malfunction. 
Potential risks include loss of device settings, the device going into back-up
mode, reloading of the previous firmware due to a failed upgrade, loss of 
diagnostic data, and a complete loss of device functionality. The Abbott 
Cybersecurity Medical Advisory Board has reviewed this firmware update and the
associated risk of performing the update in the context of potential 
cybersecurity risk.

While not intended to serve as a substitute for clinician judgment as to 
whether the firmware update is advisable for a particular patient, the 
Cybersecurity Medical Advisory Board recommends the following:

Healthcare providers and patients should discuss the risk and benefits of the
cybersecurity vulnerabilities and associated firmware update during the next 
regularly scheduled visit. As part of this discussion, it is important to 
consider patient-specific issues such as pacemaker dependence, age of device,
patient preference, and provide patients with the Patient Communication.

Determine if the update is appropriate given the risk of update for the 
patient. If deemed appropriate, install this firmware update following the 
instructions provided by the manufacturer.

For pacing dependent patients, consider performing the cybersecurity firmware
update in a facility where temporary pacing and pacemaker generator change are
readily available, due to the risk of firmware update malfunction.

Patients and healthcare providers with questions can call the dedicated 
hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for
more information.

The FDA issued a safety communication on August 29, 2017, Firmware Update to 
Address Cybersecurity Vulnerabilities Identified in Abbotts (formerly St. Jude
Medicals) Implantable Cardiac Pacemakers: FDA Safety Communication, is 
available at the following location:

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

a. CWE-287: Improper Authentication, 
http://cwe.mitre.org/data/definitions/287.html, web site last accessed August
29, 2017.

b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12712, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

c. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., 
web site last accessed August 29, 2017.

d. CWE-920: Improper Restriction of Power Consumption, 
http://cwe.mitre.org/data/definitions/920.html, web site last accessed August
29, 2017.

e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12714, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

f. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., 
web site last accessed August 29, 2017.

g. CWE-311: Missing Encryption of Sensitive Data, 
http://cwe.mitre.org/data/definitions/311.html, web site last accessed August
29, 2017.

h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12716, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

i. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., 
web site last accessed August 29, 2017.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 
http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 
product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWaYOk4x+lLeg9Ub1AQiZTQ//fnX1GQ+r3MN2jFWPd8yUkRVU1zHvo7Gm
45eAbR1VF4zIX4NeXlRFoIM9DcIrogUsL/FmVgtMuqfBAwjfwNN8GXCy6TY6eK7c
7wWHblb3NRtWECDqqBdGy2wdiuhGVZrlvEzMR5wyHDiUy4l5SdDW599RuISZuWIx
rWNsFwDqe1P0Tr2nTAguhUprTaDmus29Az+wD66y1sy6ZcW3jdNYloLltCXHZnHp
ypKdeJzYSq8lkZVTdnK1zyi2zriFxUg+fX24OKosQUGlVicwLuvlRCUZlh1NBxGC
Qgqd/AVizNjSiqJArOGNwUYb2j4TaZ4FQdFA1mOuUUFGPqDhfL87mOtQoba1pPpg
GWtEALVsYlga+1+nnVbmCDk42zMBYjNNgrB2E56cGyvPxsb5v/c0ZnVRU9xG0vwW
+aana6OaKEC6krYPGunVlD/nSBDqxCU0fOh55A50Joq/jOGePjFYlVTHEUxRqHXG
0NVBKG0p26ISQ0HYrPBGNcVcat34A8mB5hyUR41qVXHu6xNUBAXDq56yaB/XL2TV
A070UB2E9/kEP0Y/fhzA9biORz4MoMWiFCafBj7K3LYI6zWPpbcobgYbRFjSBDGL
OJ65rD4onYZ7xernEhsD1vrAUGyq7gxrk3/pxX74/Ycg2XYirqVjhnzQFR5SCCHl
2sj6ZHW9gds=
=2Vls
-----END PGP SIGNATURE-----

« Back to bulletins