Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       Advisory (ICSMA-18-107-02) - Biosense Webster Carto 3 System
                               18 April 2018


        AusCERT Security Bulletin Summary

Product:           Biosense Webster Carto 3
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise       -- Console/Physical
                   Denial of Service              -- Console/Physical
                   Provide Misleading Information -- Console/Physical
                   Access Confidential Data       -- Console/Physical
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-8592 CVE-2017-8590 CVE-2017-8589
                   CVE-2017-8588 CVE-2017-8587 CVE-2017-8582
                   CVE-2017-8581 CVE-2017-8580 CVE-2017-8578
                   CVE-2017-8577 CVE-2017-8573 CVE-2017-8565
                   CVE-2017-8564 CVE-2017-8557 CVE-2017-8556
                   CVE-2017-8554 CVE-2017-8553 CVE-2017-8552
                   CVE-2017-8544 CVE-2017-8543 CVE-2017-8534
                   CVE-2017-8533 CVE-2017-8532 CVE-2017-8531
                   CVE-2017-8528 CVE-2017-8527 CVE-2017-8495
                   CVE-2017-8492 CVE-2017-8491 CVE-2017-8490
                   CVE-2017-8489 CVE-2017-8488 CVE-2017-8486
                   CVE-2017-8485 CVE-2017-8484 CVE-2017-8483
                   CVE-2017-8482 CVE-2017-8481 CVE-2017-8480
                   CVE-2017-8479 CVE-2017-8478 CVE-2017-8477
                   CVE-2017-8476 CVE-2017-8475 CVE-2017-8473
                   CVE-2017-8472 CVE-2017-8471 CVE-2017-8470
                   CVE-2017-8469 CVE-2017-8467 CVE-2017-8464
                   CVE-2017-8463 CVE-2017-8462 CVE-2017-0300
                   CVE-2017-0298 CVE-2017-0297 CVE-2017-0296
                   CVE-2017-0294 CVE-2017-0289 CVE-2017-0288
                   CVE-2017-0287 CVE-2017-0286 CVE-2017-0285
                   CVE-2017-0284 CVE-2017-0283 CVE-2017-0282
                   CVE-2017-0280 CVE-2017-0279 CVE-2017-0278
                   CVE-2017-0277 CVE-2017-0276 CVE-2017-0275
                   CVE-2017-0274 CVE-2017-0273 CVE-2017-0272
                   CVE-2017-0271 CVE-2017-0270 CVE-2017-0269
                   CVE-2017-0268 CVE-2017-0267 CVE-2017-0263
                   CVE-2017-0260 CVE-2017-0258 CVE-2017-0248
                   CVE-2017-0246 CVE-2017-0245 CVE-2017-0244
                   CVE-2017-0242 CVE-2017-0238 CVE-2017-0231
                   CVE-2017-0226 CVE-2017-0222 CVE-2017-0220
                   CVE-2017-0214 CVE-2017-0213 CVE-2017-0199
                   CVE-2017-0193 CVE-2017-0192 CVE-2017-0191
                   CVE-2017-0190 CVE-2017-0184 CVE-2017-0183
                   CVE-2017-0182 CVE-2017-0180 CVE-2017-0175
                   CVE-2017-0171 CVE-2017-0170 CVE-2017-0168
                   CVE-2017-0167 CVE-2017-0166 CVE-2017-0163
                   CVE-2017-0158 CVE-2017-0156 CVE-2017-0155
                   CVE-2017-0148 CVE-2017-0147 CVE-2017-0146
                   CVE-2017-0145 CVE-2017-0144 CVE-2017-0143
                   CVE-2017-0128 CVE-2017-0127 CVE-2017-0126
                   CVE-2017-0125 CVE-2017-0124 CVE-2017-0123
                   CVE-2017-0122 CVE-2017-0121 CVE-2017-0120
                   CVE-2017-0119 CVE-2017-0118 CVE-2017-0117
                   CVE-2017-0116 CVE-2017-0115 CVE-2017-0114
                   CVE-2017-0113 CVE-2017-0112 CVE-2017-0111
                   CVE-2017-0109 CVE-2017-0108 CVE-2017-0104
                   CVE-2017-0103 CVE-2017-0102 CVE-2017-0101
                   CVE-2017-0100 CVE-2017-0099 CVE-2017-0097
                   CVE-2017-0096 CVE-2017-0092 CVE-2017-0091
                   CVE-2017-0090 CVE-2017-0089 CVE-2017-0088
                   CVE-2017-0087 CVE-2017-0086 CVE-2017-0085
                   CVE-2017-0084 CVE-2017-0083 CVE-2017-0077
                   CVE-2017-0076 CVE-2017-0075 CVE-2017-0073
                   CVE-2017-0072 CVE-2017-0064 CVE-2017-0063
                   CVE-2017-0062 CVE-2017-0061 CVE-2017-0060
                   CVE-2017-0058 CVE-2017-0056 CVE-2017-0055
                   CVE-2017-0050 CVE-2017-0047 CVE-2017-0045
                   CVE-2017-0043 CVE-2017-0042 CVE-2017-0039
                   CVE-2017-0038 CVE-2017-0025 CVE-2017-0022
                   CVE-2017-0014 CVE-2017-0005 CVE-2013-6629

Reference:         ASB-2017.0100

Original Bulletin: 

Comment: Biosense Webster Inc. have stated that due to a software firewall, the 
         listed vulnerabilities can only be exploited through physical access
         to the device.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-18-107-02)
Biosense Webster Carto 3 System Vulnerabilities

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.


Biosense Webster Inc. (BWI), a Johnson & Johnson company, has produced a
software update that applies operating system patches and anti-virus signature
updates to close known vulnerabilities in the operating system of the CARTO 3
System, a 3D cardiovascular mapping platform. This update will be applied to
CARTO 3 Systems beginning in April, 2018 as part of the free-of-charge CARTO 3
Version 6 (V6) base software version, which is designed to upgrade compatible
CARTO 3 Systems running Version 4 (V4).


If the system is networked, the network interface for CARTO 3 V4 is
sufficiently restricted by a software firewall to provide users reasonable
assurance that it will not be exploited remotely or via malware/ransomware. If
an attacker has persistent physical access to a CARTO 3 V4 System, the attacker
could exploit the vulnerabilities in the operating system. This could allow the
attacker to access information stored in the device, including individually
identified health information about patients, affect the integrity of CARTO 3,
or deny availability of the device. If the CARTO 3 V4 System is networked, an
attacker with persistent physical access may also be able to access other
systems within the user's network.

Impact to individual organizations depends on many factors that are unique to
each organization. NCCIC recommends that organizations evaluate the impact of
these vulnerabilities based on their operational environment and specific
clinical usage.



The following CARTO 3 Systems versions are affected:

CARTO 3 Systems manufactured before April, 2018.


BWI reported controlled risks in the CARTO 3 System related to operating system
vulnerabilities and outdated anti-virus signatures. A table providing CVE
numbers, Microsoft vulnerability tracking numbers, and titles can be found at
the following link:



These vulnerabilities cannot be exploited remotely. Even if the CARTO 3 V4
System is networked, its network interface is restricted by a software
firewall. These vulnerabilities require physical access to the CARTO 3 V4
System to exploit.   EXISTENCE OF EXPLOIT

Exploits that target these vulnerabilities exist and are publicly available.   DIFFICULTY

Exploiting these vulnerabilities would be difficult because an attacker must
have physical access to the device and knowledge of the public exploits to
exploit these vulnerabilities.


BWI, a Johnson & Johnson company, is a U.S.-based company that maintains
offices in several countries around the world, including the U.S., Asia,
Europe, Middle East, and Africa.

The affected product, the CARTO 3 V4 System, is an imaging device that uses
electromagnetic technology to create real-time three-dimensional (3D) maps of a
patient's cardiac structures. According to BWI, CARTO 3 is deployed across the
healthcare and public health sector. BWI estimates these products are used
primarily in the United States, Asia, Europe, Middle East, and Africa.


Physical security for the CARTO 3 System is a critical control that must be
employed by device users to limit the exposure of identified risks and
vulnerabilities that can be exploited with persistent physical access to the

BWI will be contacting users to initiate a software update in the field to
address vulnerabilities within the CARTO 3 System.

Users with questions regarding the CARTO 3 system are advised to contact their
BWI sales representative or service technician.

Please see the Johnson & Johnson Product Security website for the latest
security information for Products of the Johnson & Johnson Family of Companies:


NCCIC recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

    - Minimize network exposure for all control system devices and/or systems,
      and ensure that they are not accessible from the Internet.
    - Locate all medical devices and remote devices behind firewalls, and
      isolate them from the business network.
    - When remote access is required, use secure methods, such as Virtual
      Private Networks (VPNs), recognizing that VPNs may have vulnerabilities
      and should be updated to the most current version available. Also
      recognize that VPN is only as secure as the connected devices.

NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. NCCIC reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive

Additional mitigation guidance and recommended practices are publicly available
in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber
Intrusion Detection and Mitigation Strategies, that is available for download
from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.

Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:
http://ics-cert.us-cert.gov or incident reporting:

The NCCIC continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967