29 November 2017
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3026 Advisory (ICSMA-17-332-01) Ethicon Endo-Surgery Generator G11 Vulnerability 29 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ethicon Endo-Surgery Generator Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Unauthorised Access -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2017-14018 Original Bulletin: https://ics-cert.us-cert.gov/advisories/ICSMA-17-332-01 - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSMA-17-332-01) Ethicon Endo-Surgery Generator G11 Vulnerability Original release date: November 28, 2017 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. OVERVIEW Johnson & Johnson, the parent company of Ethicon Endo-Surgery, LLC, reported an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11. EthiconEndo-Surgery, LLC has produced updates that mitigate this vulnerability in the affected product. AFFECTED PRODUCTS The following versions of the Ethicon Endo-Surgery Generator Gen11 are affected: Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. IMPACT Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment and specific clinical usage. BACKGROUND Ethicon Endo-Surgery, LLC is a subsidiary of Johnson & Johnson and is a U.S.-based company that maintains offices in several countries around the world. The Ethicon Endo-Surgery Generator Gen11 is deployed across the Healthcare and Public Health sector. This product is marketed globally. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW IMPROPER AUTHENTICATIONa The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can be bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability. CVE-2017-14018b has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L).c EXPLOITABILITY This vulnerability cannot be exploited remotely. EXISTENCE OF EXPLOIT No known public exploits specifically target this vulnerability. DIFFICULTY An attacker with high skill would be able to exploit this vulnerability. MITIGATION Ethicon Endo-Surgery, LLC has contacted users and initiated a field cybersecurity update to address the vulnerability in the Ethicon Endo-Surgery Generator Gen11. The update will be made available on November 29, 2017. Users with questions regarding the vulnerability or the product update are advised to contact their Ethicon Endo-Surgery, LLC sales representative or Ethicon Customer Support Center at 1-877-ETHICON. a. CWE-287: Improper Authentication, http://cwe.mitre.org/data/definitions/287.html, web site last accessed November 28, 2017. b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14018, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S..., web site last accessed November 28, 2017. Contact Information For any questions related to this report, please contact ICS-CERT at: Email: email@example.com (link sends e-mail) Toll Free: 1-877-776-7585 International Callers: (208) 526-0900 For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWh4s/Ix+lLeg9Ub1AQj00hAAli09+QUE+LEGaJeM+qQxeIkoJeEM/8oT IYSkZUov4oXczOIE4tkNH8P8MFcLH88xNZt1By2JA1E4gSD8kEyqTXnqNmClb/RZ BpHsz4M26GM0yOAUPHoAyk1/P1fXULopHhvV1Qy5Vg/0i3uJ2XbF08NAGlEWR6Xl 1FbHkNho9d4js1xQXyGHbC3nCNW3R2ei3oQ2A+9B6UklaFDPA+D5mSjQ0LbPsBbO Tw0tiTiUib5G/LMaqyXaz4AgvLIQpkvgHnkhZo0AuTg2Rkr5PsuH9JO/U0uwkWRD BO56GYuYzMXb1uvTOVjRDzS9LzCu5Eq2bjW+8s0PfsWkRt0UXrL3eKzSJivKv6oa 5qzIs+HHJK1b4uKTw7+tGAzAoSxmBJwn2TYeRoK3waekzR1aDm/J6fKAhbzD47rl C7JkCOMH39Vu/2PB2n1ZnInCFIhr1t1GTnQSH+Qa+IkSMpK2pbpba9OCujLRsGIn cO3gzuIIX4mshlM7WaxjSltbZJQiD7fj8u+CHJpYS1ClDMj/1pvSeJece39gW9UI Vm/52GMUR6UKS5fsdbsvgtEIBBWXp5KzMBpU0dDxOO5PVIcOTN5w6WZroa9HlUJ0 nujDcObrYV9EsOeWBgtZslS8NNF/pRBDwxlqdtbI1T+Z73JcZEbthA9cekRUc9JT Esf4o8QczS0= =PmzW -----END PGP SIGNATURE-----