Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1183 Advisory (ICSMA-18-107-02) - Biosense Webster Carto 3 System Vulnerabilities 18 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Biosense Webster Carto 3 Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Administrator Compromise -- Console/Physical Denial of Service -- Console/Physical Provide Misleading Information -- Console/Physical Access Confidential Data -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2017-8592 CVE-2017-8590 CVE-2017-8589 CVE-2017-8588 CVE-2017-8587 CVE-2017-8582 CVE-2017-8581 CVE-2017-8580 CVE-2017-8578 CVE-2017-8577 CVE-2017-8573 CVE-2017-8565 CVE-2017-8564 CVE-2017-8557 CVE-2017-8556 CVE-2017-8554 CVE-2017-8553 CVE-2017-8552 CVE-2017-8544 CVE-2017-8543 CVE-2017-8534 CVE-2017-8533 CVE-2017-8532 CVE-2017-8531 CVE-2017-8528 CVE-2017-8527 CVE-2017-8495 CVE-2017-8492 CVE-2017-8491 CVE-2017-8490 CVE-2017-8489 CVE-2017-8488 CVE-2017-8486 CVE-2017-8485 CVE-2017-8484 CVE-2017-8483 CVE-2017-8482 CVE-2017-8481 CVE-2017-8480 CVE-2017-8479 CVE-2017-8478 CVE-2017-8477 CVE-2017-8476 CVE-2017-8475 CVE-2017-8473 CVE-2017-8472 CVE-2017-8471 CVE-2017-8470 CVE-2017-8469 CVE-2017-8467 CVE-2017-8464 CVE-2017-8463 CVE-2017-8462 CVE-2017-0300 CVE-2017-0298 CVE-2017-0297 CVE-2017-0296 CVE-2017-0294 CVE-2017-0289 CVE-2017-0288 CVE-2017-0287 CVE-2017-0286 CVE-2017-0285 CVE-2017-0284 CVE-2017-0283 CVE-2017-0282 CVE-2017-0280 CVE-2017-0279 CVE-2017-0278 CVE-2017-0277 CVE-2017-0276 CVE-2017-0275 CVE-2017-0274 CVE-2017-0273 CVE-2017-0272 CVE-2017-0271 CVE-2017-0270 CVE-2017-0269 CVE-2017-0268 CVE-2017-0267 CVE-2017-0263 CVE-2017-0260 CVE-2017-0258 CVE-2017-0248 CVE-2017-0246 CVE-2017-0245 CVE-2017-0244 CVE-2017-0242 CVE-2017-0238 CVE-2017-0231 CVE-2017-0226 CVE-2017-0222 CVE-2017-0220 CVE-2017-0214 CVE-2017-0213 CVE-2017-0199 CVE-2017-0193 CVE-2017-0192 CVE-2017-0191 CVE-2017-0190 CVE-2017-0184 CVE-2017-0183 CVE-2017-0182 CVE-2017-0180 CVE-2017-0175 CVE-2017-0171 CVE-2017-0170 CVE-2017-0168 CVE-2017-0167 CVE-2017-0166 CVE-2017-0163 CVE-2017-0158 CVE-2017-0156 CVE-2017-0155 CVE-2017-0148 CVE-2017-0147 CVE-2017-0146 CVE-2017-0145 CVE-2017-0144 CVE-2017-0143 CVE-2017-0128 CVE-2017-0127 CVE-2017-0126 CVE-2017-0125 CVE-2017-0124 CVE-2017-0123 CVE-2017-0122 CVE-2017-0121 CVE-2017-0120 CVE-2017-0119 CVE-2017-0118 CVE-2017-0117 CVE-2017-0116 CVE-2017-0115 CVE-2017-0114 CVE-2017-0113 CVE-2017-0112 CVE-2017-0111 CVE-2017-0109 CVE-2017-0108 CVE-2017-0104 CVE-2017-0103 CVE-2017-0102 CVE-2017-0101 CVE-2017-0100 CVE-2017-0099 CVE-2017-0097 CVE-2017-0096 CVE-2017-0092 CVE-2017-0091 CVE-2017-0090 CVE-2017-0089 CVE-2017-0088 CVE-2017-0087 CVE-2017-0086 CVE-2017-0085 CVE-2017-0084 CVE-2017-0083 CVE-2017-0077 CVE-2017-0076 CVE-2017-0075 CVE-2017-0073 CVE-2017-0072 CVE-2017-0064 CVE-2017-0063 CVE-2017-0062 CVE-2017-0061 CVE-2017-0060 CVE-2017-0058 CVE-2017-0056 CVE-2017-0055 CVE-2017-0050 CVE-2017-0047 CVE-2017-0045 CVE-2017-0043 CVE-2017-0042 CVE-2017-0039 CVE-2017-0038 CVE-2017-0025 CVE-2017-0022 CVE-2017-0014 CVE-2017-0005 CVE-2013-6629 Reference: ASB-2017.0100 ASB-2017.0089 ESB-2017.0664 ESB-2013.1652 Original Bulletin: https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-02 Comment: Biosense Webster Inc. have stated that due to a software firewall, the listed vulnerabilities can only be exploited through physical access to the device. - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSMA-18-107-02) Biosense Webster Carto 3 System Vulnerabilities Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. 1. EXECUTIVE SUMMARY Biosense Webster Inc. (BWI), a Johnson & Johnson company, has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the CARTO 3 System, a 3D cardiovascular mapping platform. This update will be applied to CARTO 3 Systems beginning in April, 2018 as part of the free-of-charge CARTO 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO 3 Systems running Version 4 (V4). 2. RISK EVALUATION If the system is networked, the network interface for CARTO 3 V4 is sufficiently restricted by a software firewall to provide users reasonable assurance that it will not be exploited remotely or via malware/ransomware. If an attacker has persistent physical access to a CARTO 3 V4 System, the attacker could exploit the vulnerabilities in the operating system. This could allow the attacker to access information stored in the device, including individually identified health information about patients, affect the integrity of CARTO 3, or deny availability of the device. If the CARTO 3 V4 System is networked, an attacker with persistent physical access may also be able to access other systems within the user's network. Impact to individual organizations depends on many factors that are unique to each organization. NCCIC recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following CARTO 3 Systems versions are affected: CARTO 3 Systems manufactured before April, 2018. 3.2 VULNERABILITY OVERVIEW BWI reported controlled risks in the CARTO 3 System related to operating system vulnerabilities and outdated anti-virus signatures. A table providing CVE numbers, Microsoft vulnerability tracking numbers, and titles can be found at the following link: http://www.productsecurity.jnj.com/CARTO3v4-Advisory-040918.pdf 3.2.1 VULNERABILITY DETAILS 3.2.2.1 EXPLOITABILITY These vulnerabilities cannot be exploited remotely. Even if the CARTO 3 V4 System is networked, its network interface is restricted by a software firewall. These vulnerabilities require physical access to the CARTO 3 V4 System to exploit. 3.2.2.2 EXISTENCE OF EXPLOIT Exploits that target these vulnerabilities exist and are publicly available. 3.2.2.3 DIFFICULTY Exploiting these vulnerabilities would be difficult because an attacker must have physical access to the device and knowledge of the public exploits to exploit these vulnerabilities. 4.3 BACKGROUND BWI, a Johnson & Johnson company, is a U.S.-based company that maintains offices in several countries around the world, including the U.S., Asia, Europe, Middle East, and Africa. The affected product, the CARTO 3 V4 System, is an imaging device that uses electromagnetic technology to create real-time three-dimensional (3D) maps of a patient's cardiac structures. According to BWI, CARTO 3 is deployed across the healthcare and public health sector. BWI estimates these products are used primarily in the United States, Asia, Europe, Middle East, and Africa. 5. MITIGATIONS Physical security for the CARTO 3 System is a critical control that must be employed by device users to limit the exposure of identified risks and vulnerabilities that can be exploited with persistent physical access to the device. BWI will be contacting users to initiate a software update in the field to address vulnerabilities within the CARTO 3 System. Users with questions regarding the CARTO 3 system are advised to contact their BWI sales representative or service technician. Please see the Johnson & Johnson Product Security website for the latest security information for Products of the Johnson & Johnson Family of Companies: http://productsecurity.jnj.com NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: - Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. - Locate all medical devices and remote devices behind firewalls, and isolate them from the business network. - When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents. Contact Information For any questions related to this report, please contact the NCCIC at: Email: NCCICCUSTOMERSERVICE@hq.dhs.gov Toll Free: 1-888-282-0870 For industrial control systems cybersecurity information: http://ics-cert.us-cert.gov or incident reporting: https://ics-cert.us-cert.gov/Report-Incident? The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWtbHlYx+lLeg9Ub1AQio2RAAm+fDIbqQLM1ktAK1yn8MthG080Fyy4eW qfmacbYEkhmqoLYSLycMzGFzMa3Yzb1Nsl3Ua0Iv9j0UxU53Dg+NzWrjIOv7qgcV bJxB4j/fQs8t6s26lgHTPvQzWInEcCgc6N4IHg4Z4F/KvznhFXtAcocIyje4f215 GGciNpYgbQk/ZfYKmTE0fbj2J+7cEBDBSegb29Lenxq6e1ja437MV9yUUbaATFaL aw/+S6J6vR339fKulVQSlnKYobNpTQAU4R5L7gNENTPQg6hgn6tJ7QtzaSykOm23 FSleAPo5+jp0bNwkzIsgwiImBic1DEPceWOyTq7gphayWnDxRdXB2nP1FfSYoDiK VwtGl1eHuixU5FCE/y2d/UiOW4oj7qjDHE5q2C3b4SQzCdaKuft3e/mOnC/zpG6Q 5uRSxcTlklms226mZ1lCSUup42E2nYsiUSIP7IbLibbq9idcgMcM2abeWM999ozg 8Waq8shvKkYaHagijTGk0s2Vmv6HMfB5wd6TSpyw1YGWx61h0An8rO5RGQ2njoZJ mWYBgBAHkDWbZvlzeyOFEkzhC/WPRQefuKDgTmTYTcg+G3BIegdXWm3USGsz2Pk6 M420+ssbD7siGXnqUXn7xosW75o5GPg3JSwT30pIgxWLCETmx/eTJIb8Il7epU0F M5YYoX5VxdM= =sTE2 -----END PGP SIGNATURE-----