Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.1183
Advisory (ICSMA-18-107-02) - Biosense Webster Carto 3 System
Vulnerabilities
18 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Biosense Webster Carto 3
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Administrator Compromise -- Console/Physical
Denial of Service -- Console/Physical
Provide Misleading Information -- Console/Physical
Access Confidential Data -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8592 CVE-2017-8590 CVE-2017-8589
CVE-2017-8588 CVE-2017-8587 CVE-2017-8582
CVE-2017-8581 CVE-2017-8580 CVE-2017-8578
CVE-2017-8577 CVE-2017-8573 CVE-2017-8565
CVE-2017-8564 CVE-2017-8557 CVE-2017-8556
CVE-2017-8554 CVE-2017-8553 CVE-2017-8552
CVE-2017-8544 CVE-2017-8543 CVE-2017-8534
CVE-2017-8533 CVE-2017-8532 CVE-2017-8531
CVE-2017-8528 CVE-2017-8527 CVE-2017-8495
CVE-2017-8492 CVE-2017-8491 CVE-2017-8490
CVE-2017-8489 CVE-2017-8488 CVE-2017-8486
CVE-2017-8485 CVE-2017-8484 CVE-2017-8483
CVE-2017-8482 CVE-2017-8481 CVE-2017-8480
CVE-2017-8479 CVE-2017-8478 CVE-2017-8477
CVE-2017-8476 CVE-2017-8475 CVE-2017-8473
CVE-2017-8472 CVE-2017-8471 CVE-2017-8470
CVE-2017-8469 CVE-2017-8467 CVE-2017-8464
CVE-2017-8463 CVE-2017-8462 CVE-2017-0300
CVE-2017-0298 CVE-2017-0297 CVE-2017-0296
CVE-2017-0294 CVE-2017-0289 CVE-2017-0288
CVE-2017-0287 CVE-2017-0286 CVE-2017-0285
CVE-2017-0284 CVE-2017-0283 CVE-2017-0282
CVE-2017-0280 CVE-2017-0279 CVE-2017-0278
CVE-2017-0277 CVE-2017-0276 CVE-2017-0275
CVE-2017-0274 CVE-2017-0273 CVE-2017-0272
CVE-2017-0271 CVE-2017-0270 CVE-2017-0269
CVE-2017-0268 CVE-2017-0267 CVE-2017-0263
CVE-2017-0260 CVE-2017-0258 CVE-2017-0248
CVE-2017-0246 CVE-2017-0245 CVE-2017-0244
CVE-2017-0242 CVE-2017-0238 CVE-2017-0231
CVE-2017-0226 CVE-2017-0222 CVE-2017-0220
CVE-2017-0214 CVE-2017-0213 CVE-2017-0199
CVE-2017-0193 CVE-2017-0192 CVE-2017-0191
CVE-2017-0190 CVE-2017-0184 CVE-2017-0183
CVE-2017-0182 CVE-2017-0180 CVE-2017-0175
CVE-2017-0171 CVE-2017-0170 CVE-2017-0168
CVE-2017-0167 CVE-2017-0166 CVE-2017-0163
CVE-2017-0158 CVE-2017-0156 CVE-2017-0155
CVE-2017-0148 CVE-2017-0147 CVE-2017-0146
CVE-2017-0145 CVE-2017-0144 CVE-2017-0143
CVE-2017-0128 CVE-2017-0127 CVE-2017-0126
CVE-2017-0125 CVE-2017-0124 CVE-2017-0123
CVE-2017-0122 CVE-2017-0121 CVE-2017-0120
CVE-2017-0119 CVE-2017-0118 CVE-2017-0117
CVE-2017-0116 CVE-2017-0115 CVE-2017-0114
CVE-2017-0113 CVE-2017-0112 CVE-2017-0111
CVE-2017-0109 CVE-2017-0108 CVE-2017-0104
CVE-2017-0103 CVE-2017-0102 CVE-2017-0101
CVE-2017-0100 CVE-2017-0099 CVE-2017-0097
CVE-2017-0096 CVE-2017-0092 CVE-2017-0091
CVE-2017-0090 CVE-2017-0089 CVE-2017-0088
CVE-2017-0087 CVE-2017-0086 CVE-2017-0085
CVE-2017-0084 CVE-2017-0083 CVE-2017-0077
CVE-2017-0076 CVE-2017-0075 CVE-2017-0073
CVE-2017-0072 CVE-2017-0064 CVE-2017-0063
CVE-2017-0062 CVE-2017-0061 CVE-2017-0060
CVE-2017-0058 CVE-2017-0056 CVE-2017-0055
CVE-2017-0050 CVE-2017-0047 CVE-2017-0045
CVE-2017-0043 CVE-2017-0042 CVE-2017-0039
CVE-2017-0038 CVE-2017-0025 CVE-2017-0022
CVE-2017-0014 CVE-2017-0005 CVE-2013-6629
Reference: ASB-2017.0100
ASB-2017.0089
ESB-2017.0664
ESB-2013.1652
Original Bulletin:
https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-02
Comment: Biosense Webster Inc. have stated that due to a software firewall, the
listed vulnerabilities can only be exploited through physical access
to the device.
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSMA-18-107-02)
Biosense Webster Carto 3 System Vulnerabilities
Legal Notice
All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
Biosense Webster Inc. (BWI), a Johnson & Johnson company, has produced a
software update that applies operating system patches and anti-virus signature
updates to close known vulnerabilities in the operating system of the CARTO 3
System, a 3D cardiovascular mapping platform. This update will be applied to
CARTO 3 Systems beginning in April, 2018 as part of the free-of-charge CARTO 3
Version 6 (V6) base software version, which is designed to upgrade compatible
CARTO 3 Systems running Version 4 (V4).
2. RISK EVALUATION
If the system is networked, the network interface for CARTO 3 V4 is
sufficiently restricted by a software firewall to provide users reasonable
assurance that it will not be exploited remotely or via malware/ransomware. If
an attacker has persistent physical access to a CARTO 3 V4 System, the attacker
could exploit the vulnerabilities in the operating system. This could allow the
attacker to access information stored in the device, including individually
identified health information about patients, affect the integrity of CARTO 3,
or deny availability of the device. If the CARTO 3 V4 System is networked, an
attacker with persistent physical access may also be able to access other
systems within the user's network.
Impact to individual organizations depends on many factors that are unique to
each organization. NCCIC recommends that organizations evaluate the impact of
these vulnerabilities based on their operational environment and specific
clinical usage.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following CARTO 3 Systems versions are affected:
CARTO 3 Systems manufactured before April, 2018.
3.2 VULNERABILITY OVERVIEW
BWI reported controlled risks in the CARTO 3 System related to operating system
vulnerabilities and outdated anti-virus signatures. A table providing CVE
numbers, Microsoft vulnerability tracking numbers, and titles can be found at
the following link:
http://www.productsecurity.jnj.com/CARTO3v4-Advisory-040918.pdf
3.2.1 VULNERABILITY DETAILS
3.2.2.1 EXPLOITABILITY
These vulnerabilities cannot be exploited remotely. Even if the CARTO 3 V4
System is networked, its network interface is restricted by a software
firewall. These vulnerabilities require physical access to the CARTO 3 V4
System to exploit.
3.2.2.2 EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities exist and are publicly available.
3.2.2.3 DIFFICULTY
Exploiting these vulnerabilities would be difficult because an attacker must
have physical access to the device and knowledge of the public exploits to
exploit these vulnerabilities.
4.3 BACKGROUND
BWI, a Johnson & Johnson company, is a U.S.-based company that maintains
offices in several countries around the world, including the U.S., Asia,
Europe, Middle East, and Africa.
The affected product, the CARTO 3 V4 System, is an imaging device that uses
electromagnetic technology to create real-time three-dimensional (3D) maps of a
patient's cardiac structures. According to BWI, CARTO 3 is deployed across the
healthcare and public health sector. BWI estimates these products are used
primarily in the United States, Asia, Europe, Middle East, and Africa.
5. MITIGATIONS
Physical security for the CARTO 3 System is a critical control that must be
employed by device users to limit the exposure of identified risks and
vulnerabilities that can be exploited with persistent physical access to the
device.
BWI will be contacting users to initiate a software update in the field to
address vulnerabilities within the CARTO 3 System.
Users with questions regarding the CARTO 3 system are advised to contact their
BWI sales representative or service technician.
Please see the Johnson & Johnson Product Security website for the latest
security information for Products of the Johnson & Johnson Family of Companies:
http://productsecurity.jnj.com
NCCIC recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet.
- Locate all medical devices and remote devices behind firewalls, and
isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPNs may have vulnerabilities
and should be updated to the most current version available. Also
recognize that VPN is only as secure as the connected devices.
NCCIC also provides a section for control systems security recommended
practices on the ICS-CERT web page. NCCIC reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
Additional mitigation guidance and recommended practices are publicly available
in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber
Intrusion Detection and Mitigation Strategies, that is available for download
from the ICS-CERT website.
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to NCCIC for tracking
and correlation against other incidents.
Contact Information
For any questions related to this report, please contact the NCCIC at:
Email: NCCICCUSTOMERSERVICE@hq.dhs.gov Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information:
http://ics-cert.us-cert.gov or incident reporting:
https://ics-cert.us-cert.gov/Report-Incident?
The NCCIC continuously strives to improve its products and services. You can
help by choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWtbHlYx+lLeg9Ub1AQio2RAAm+fDIbqQLM1ktAK1yn8MthG080Fyy4eW
qfmacbYEkhmqoLYSLycMzGFzMa3Yzb1Nsl3Ua0Iv9j0UxU53Dg+NzWrjIOv7qgcV
bJxB4j/fQs8t6s26lgHTPvQzWInEcCgc6N4IHg4Z4F/KvznhFXtAcocIyje4f215
GGciNpYgbQk/ZfYKmTE0fbj2J+7cEBDBSegb29Lenxq6e1ja437MV9yUUbaATFaL
aw/+S6J6vR339fKulVQSlnKYobNpTQAU4R5L7gNENTPQg6hgn6tJ7QtzaSykOm23
FSleAPo5+jp0bNwkzIsgwiImBic1DEPceWOyTq7gphayWnDxRdXB2nP1FfSYoDiK
VwtGl1eHuixU5FCE/y2d/UiOW4oj7qjDHE5q2C3b4SQzCdaKuft3e/mOnC/zpG6Q
5uRSxcTlklms226mZ1lCSUup42E2nYsiUSIP7IbLibbq9idcgMcM2abeWM999ozg
8Waq8shvKkYaHagijTGk0s2Vmv6HMfB5wd6TSpyw1YGWx61h0An8rO5RGQ2njoZJ
mWYBgBAHkDWbZvlzeyOFEkzhC/WPRQefuKDgTmTYTcg+G3BIegdXWm3USGsz2Pk6
M420+ssbD7siGXnqUXn7xosW75o5GPg3JSwT30pIgxWLCETmx/eTJIb8Il7epU0F
M5YYoX5VxdM=
=sTE2
-----END PGP SIGNATURE-----