ICS Medical Advisories

• Philips Xper-IM Connect Vulnerabilities 2022-11-25
  OVERVIEW Independent researchers Mike Ahmadi of Synopsys and Billy Rios of Whitescope LLC, in collaboration with Philips, have identified numerous vulnerabilities with an automated software composition analysis tool in the Philips Xper-IM Connect system running on Windows XP. Philips reports that the identified vulnerabilities can be addressed by upgrading the affected system to a newer […]
  CISA
• Abbott Laboratories Defibrillator 2022-11-25
  1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely Vendor: Abbott Laboratories Equipment: Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator Vulnerabilities: Improper Authentication and Improper Restriction of Power Consumption MedSec Holdings Ltd., has identified vulnerabilities in Abbott Laboratories’ (formerly St. Jude Medical) Implantable Cardioverter Defibrillator (ICD) and Cardiac Synchronization Therapy Defibrillator (CRT-D). Abbott has […]
  CISA
• Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink (Update B) 2022-11-25
  1. EXECUTIVE SUMMARY CVSS v3 7.4 ATTENTION: Exploitable Remotely / Low skill level to exploit / Public exploits are available Vendors: Silex Technology, GE Healthcare Equipment: SX-500, SD-320AN, MobileLink Vulnerabilities: Improper Authentication, OS Command Injection 2. UPDATE INFORMATION This updated advisory is a follow-up to the updated advisory titled ICSMA-18-128-01 Silex Technology SX-500/SD-320AN or GE […]
  CISA
• GE Medical Devices Vulnerability 2022-11-25
  OVERVIEW This advisory was originally posted to the HSIN ICS-CERT library on February 6, 2018, and is being released to the NCCIC/ICS-CERT website. Independent researcher Scott Erven submitted information regarding the potential use of default or hard-coded credentials in multiple GE Healthcare products. Following the researcher’s report, GE performed a self-assessment and validated that multiple […]
  CISA
• Philips iSite/IntelliSpace PACS Vulnerabilities (Update A) 2022-11-25
  1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available Vendor: Philips Equipment: iSite and IntelliSpace PACS Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Code/Source Code Vulnerabilities, Information Exposure, Code Injection, Weaknesses in OWASP Top Ten, and Improper Restriction of XML External Entity Reference […]
  CISA
• Ethicon Endo-Surgery Generator G11 Vulnerability 2022-11-25
  OVERVIEW Johnson & Johnson, the parent company of Ethicon Endo-Surgery, LLC, reported an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11. EthiconEndo-Surgery, LLC has produced updates that mitigate this vulnerability in the affected product. AFFECTED PRODUCTS The following versions of the Ethicon Endo-Surgery Generator Gen11 are affected: Ethicon Endo-Surgery Generator Gen11, all versions released […]
  CISA
• Vyaire Medical CareFusion Upgrade Utility Vulnerability 2022-11-25
  OVERVIEW Independent researcher Mark Cross (@xerubus) has identified an uncontrolled search path element vulnerability in Vyaire Medical’s CareFusion Upgrade Utility application. Vyaire Medical has produced an update that mitigates this vulnerability. AFFECTED PRODUCTS The following versions of CareFusion Upgrade Utility, designed to upgrade compatible units to the latest software versions, are affected: CareFusion Upgrade Utility […]
  CISA
• B. Braun Medical SpaceCom Open Redirect Vulnerability 2022-11-25
  OVERVIEW This advisory was originally posted to the NCCIC Portal on March 23, 2017, and is being released to the ICS-CERT web site. Marc Ruef and Rocco Gagliardi of scip AG have identified an open redirect vulnerability in B. Braun Medical’s SpaceCom module, which is integrated into the SpaceStation docking station. B. Braun has produced […]
  CISA
• Siemens Molecular Imaging Vulnerabilities 2022-11-25
  OVERVIEW Siemens has identified two vulnerabilities in Siemens’ Molecular Imaging products running on Windows XP. Siemens is preparing updates for the affected products. These vulnerabilities could be exploited remotely. AFFECTED PRODUCTS Siemens reports that the vulnerability affects the following products: Siemens PET/CT Systems: All Windows XP-based versions, Siemens SPECT/CT Systems: All Windows XP-based versions, Siemens […]
  CISA
• BD Alaris 8000 Insufficiently Protected Credentials Vulnerability 2022-11-25
  OVERVIEW This advisory was originally posted to the NCCIC Portal on January 17, 2017, and is being released to the NCCIC/ICS-CERT web site. Becton, Dickinson and Company (BD) has identified an insufficiently protected credentials vulnerability in BD’s Alaris 8000 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. BD […]
  CISA
• BD Kiestra PerformA and KLA Journal Service Applications Hard-Coded Passwords Vulnerability 2022-11-25
  OVERVIEW Becton, Dickinson and Company (BD) has identified a hard-coded password vulnerability in BD’s Kiestra PerformA and KLA Journal Service applications that access the BD Kiestra Database. BD has produced compensating controls to reduce the risk of exploitation of the identified vulnerability by issuing product updates and defensive measures to be applied by end users. […]
  CISA
• St. Jude Merlin@home Transmitter Vulnerability (Update A) 2022-11-25
  OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSMA-17-009-01 St. Jude Merlin@home Transmitter Vulnerability that was published January 9, 2017, on the NCCIC/ICS-CERT web site. --------- Begin Update A Part 1 of 5 -------- MedSec Holdings has identified a channel accessible by nonendpoint (“man-in-the-middle”) vulnerability in St. Jude Medical's Merlin@home transmitter, […]
  CISA
• Smiths Medical CADD-Solis Medication Safety Software Vulnerabilities 2022-11-25
  OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on November 1, 2016, and is being released to the NCCIC/ICS-CERT web site. Smiths Medical has reported two vulnerabilities in Smiths Medical’s CADD-Solis Medication Safety Software that were identified by Andrew Gothard of Newcastle Upon Tyne Hospitals NHS Foundations Trust. Smiths Medical has […]
  CISA
• Animas OneTouch Ping Insulin Pump Vulnerabilities 2022-11-25
  OVERVIEW Rapid7 has identified vulnerabilities in the cybersecurity of the Animas OneTouch Ping insulin pump system. Animas will not be releasing a patch or new version to mitigate these vulnerabilities. Animas has provided compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities, and these compensating controls may impact device […]
  CISA
• Boston Scientific ZOOM LATITUDE PRM Vulnerabilities 2022-11-25
  OVERVIEW Researchers Jonathan Butts and Billy Rios of Whitescope have identified two vulnerabilities in Boston Scientific’s ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) – Model 3120. Boston Scientific has provided compensating controls to reduce the risk of exploitation. AFFECTED PRODUCTS The following ZOOM LATITUDE PRM versions are affected: ZOOM LATITUDE PRM – Model 3120, all versions. IMPACT Successful […]
  CISA
• Siemens Molecular Imaging Vulnerabilities 2022-11-25
  OVERVIEW Siemens has identified four vulnerabilities in Siemens’ Molecular Imaging products running on Windows 7. Siemens is preparing updates for the affected products. These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available. AFFECTED PRODUCTS Siemens reports that the vulnerabilities affect the following products: Siemens PET/CT Systems: All […]
  CISA
• Philips IntelliSpace Cardiovascular System and Xcelera System Vulnerability 2022-11-25
  OVERVIEW Philips reported a vulnerability in the Philips’ IntelliSpace Cardiovascular and Xcelera cardiac image and information management systems. Philips has produced updates that mitigate this vulnerability in the affected products. This vulnerability could be exploited remotely. AFFECTED PRODUCTS Philips reports that the vulnerability affects the following versions of the IntelliSpace Cardiovascular and Xcelera cardiac image […]
  CISA
• BMC Medical and 3B Medical Luna CPAP Machine 2022-11-25
  OVERVIEW MedSec has identified an improper input validation vulnerability in BMC Medical’s and 3B Medical’s Luna continuous positive airway pressure (CPAP) therapy machine. For devices released after July 1, 2017, this vulnerability has been addressed. For devices released prior to July 1, 2017, BMC Medical and 3B Medical offer no mitigations. AFFECTED PRODUCTS The following […]
  CISA
• Philips IntelliSpace Cardiovascular System Vulnerability 2022-11-25
  OVERVIEW Philips reported an insufficient session expiration vulnerability in the Philips’ IntelliSpace Cardiovascular cardiac image and information management systems. Philips is creating a software update to mitigate this vulnerability in the affected products. AFFECTED PRODUCTS Philips reports that the vulnerability affects the following versions of the IntelliSpace Cardiovascular: IntelliSpace Cardiovascular, Version 2.3.0 and prior. IMPACT […]
  CISA
• Philips' DoseWise Portal Vulnerabilities 2022-11-25
  OVERVIEW Philips has identified Hard-coded Credentials and Cleartext Storage of Sensitive Information vulnerabilities in Philips’ DoseWise Portal (DWP) web application. Philips has updated product documentation and produced a new version that mitigates these vulnerabilities. These vulnerabilities could be exploited remotely. AFFECTED PRODUCTS The following Philips DWP versions are affected: DoseWise Portal, Versions 1.1.7.333 and 2.1.1.3069 […]
  CISA