Date: 30 Sept 2019
Products Covered: Spacelabs Patient Monitoring, Cardiology, and Anesthesia Products

Security Advisory

BlueKeep: RDP Vulnerability in older Microsoft operating systems (CVE-2019-0708)

Ref Doc ID Version Release Date Advisory Status Related CVE(s) Severity Rating
CSN 077-0461-00 2.0 13 Sept 2019 ACTIVE CVE-2019-0708[1] 9.8 CRITICAL (CVSS 3)

1.    INTRODUCTION

A Remote Code Execution (RCE) vulnerability CVE-2019-0708 (also known as “BlueKeep”) exists in the Remote Desktop Protocol (RDP) for many older Microsoft Windows operating systems.

Microsoft Security Advisory for CVE-2019-0708 provides the following security vulnerability summary:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target system’s Remote Desktop Service via RDP.[2]

2.    Affected Products

A.    Spacelabs Hardware Devices
We have performed a thorough review of Spacelabs Patient Monitoring and Diagnostic Cardiology products and determined that the Spacelabs Xhibit® Telemetry Receiver (XTR) product is the only product that is directly affected and requires action.

While Xhibit Central Station (96102) and Xhibit XC4 (96501) use the Windows operating system, these products do not include RDP, and therefore no action is required.

Summary of Affected Hardware Products

Product Product Use Recommended Remediations
Xhibit Telemetry Receiver (XTR)
Model number: 96280
XTR is a closed architecture appliance that operates as a gateway for collection of telemetry data from Spacelabs telemetry transmitters.

We have confirmed that the current version (1.2.1) of XTR, as well as version 1.1.1, are not vulnerable to a BlueKeep attack.

We have determined that version 1.0.2 could be vulnerable if it has been implemented to interoperate with Spacelabs’ XprezzNet Integration gateway. All deployed XTR hardware appliances are capable of update. The recommended remediation is that customers update to the newest release (1.2.1).

B.    Action Required to Perform Remediation to Medical Appliances

We have determined that XTR version 1.0.2 is vulnerable to BlueKeep, but since the product is required to be implemented on an isolated VLAN, this implementation would normally block an attack based on this vulnerability. However, if the XTR 1.0.2 product has been implemented to inter-operate with a Spacelabs XprezzNet integration gateway, there is a chance that not all communications to the vulnerable XTR would be blocked. If you own an XTR version 1.0.2 device that may be susceptible, or have any questions about this Security Advisory, please contact Spacelabs at 1-800-522-7025 and select 2 for Technical Support.

XTR is an appliance that has no user interface, so your service representative can help you to determine the installed version of software on your XTR product and will work to coordinate updates as needed.

C.    Spacelabs Software Products Hosted on Customer Networks

Spacelabs sells certain software products that healthcare organizations host on their infrastructure using servers with Windows operating systems.  These products are Intesys® Clinical Suite (ICS) (92810), XprezzNet, Sentinel, and Pathfinder SL.

It is possible that these products are still being hosted by your organization on Microsoft Windows infrastructure that could be vulnerable to a BlueKeep attack. Customers are strongly advised to patch their equipment if affected. References [2] and [3] provide direct access to Microsoft patching resources for actively supported operating systems as well as platforms that are no longer in mainstream support.

Spacelabs routinely tests the effects of Microsoft patches on our software products to ensure that the software operation is not compromised by a patch. Patch test information and recommendations are available on our website for verified Spacelabs customers. To register for access, complete the Security Information Request Form. Once your request is approved, you will receive an email from the Spacelabs Helpdesk with login and passcode information. Patch test results will generally be posted within 30-45 days after patches are publicly released. Customers are strongly encouraged to consult these reports routinely and to apply updates immediately for patches marked “Okay to Update” in the reports.

There are some customers who may have received software deliveries pre-installed onto a computing platform. Customers are reminded that after delivery, operation and maintenance of these platforms is the customer’s responsibility. Customers should ensure up to date patching is performed.

D.    Obsolete Equipment

The Arkon (99999) anesthesiology delivery system previously sold by Spacelabs is no longer under support and customers are being transitioned to other solutions. This product, which may be connected to the customer network, uses one of the affected Microsoft Windows operating systems.  Customers who have networked products and have not completed the transition off of this equipment are encouraged to expedite the process of transition and to fully decommission these devices.

3.    Vulnerability Classification

A.    Scope

Geographic Regions Affected: Worldwide

Affected Applications or Services: The following Microsoft Windows operating systems, including both 32- and 64-bit versions, as well as all Service Pack versions are affected:

  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows 7
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

B.    Technical Details

The U.S. Department of Homeland Security’s CISA website provides the following technical details:

BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.

According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.  After successfully sending the packets, the attacker would have the ability to perform a number of actions, including: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.

BlueKeep is considered “worm-able” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a manner similar to the WannaCry malware attacks of 2017. [4]

C.    CVSS v3.0 Severity and Metrics:

CVSS 3 Base Score: 9.8 CRITICAL

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Impact Score: 5.9

Exploitability Score: 3.9

  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Unchanged
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

Information provided here reflects vulnerability classification using the industry standard Common Vulnerability Scoring System (CVSS). Spacelabs uses Version 3 of this standard. If needed, more information can be found at the NIST Vulnerability Metrics site.

D.    Summary Operational Risk Assessment

As described above, older versions of Spacelabs’ XTR product software use a version of Windows Embedded as the underlying operating system. XTRs are generally deployed in a dedicated and isolated network providing a level of isolation to the product. While the normal network configuration of XTR would block it from an attack based on this vulnerability, if you are using XprezzNet to connect to an XTR 1.0.2, there is a chance that an attack using this vulnerability would not be fully blocked. In this case, the BlueKeep vulnerability could allow an attacker to perform a number of actions. If compromised, these products could also be susceptible to lateral worm-based attacks that could spread across a network.

In our review of the impact of this threat, due to the fact that the normal network configuration will block attacks using this vulnerability, and since the XTR device provide monitoring services that are redundant to other patient care systems, we have determined that there is only a limited chance that a device could be compromised.  Spacelabs considers this to be a limited risk to patients, and would encourage all affected customers to pursue updates of their affected products.

4.    Work Arounds and Mitigations

Spacelabs encourages users and administrators to review the Microsoft Security Advisory [2] and the Microsoft Customer Guidance for CVE-2019-0708 [3] and apply the appropriate updates and mitigation measures as soon as possible.

Many Spacelabs products are appliances and customers are not intended to perform updates on them. But, for products or systems that are obsolete or are not able to be patched yet, this alternate mitigation step may be used to help protect against BlueKeep:

  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

5.    Products verified to not be Affected

The impact analysis performed by Spacelabs has confirmed that the following products are not affected by this CVE (Common Vulnerability or Exposure):

  • Patient Monitoring Portfolio
    • Qube (91390)
    • Qube Mini (91389)
    • Xprezzon (91393)
    • Ultraview SL2400 (91369)
    • Ultraview SL 2600 (91370)
    • Ultraview SL 2700 (91387-27)
    • Ultraview SL 2800 (91387-28)
    • Ultraview SL 2900 (91387-29)
    • Ultraview SL3800 (91387-38)
    • Ultraview SL3900 (91387-39)
    • DM3 (91330)
    • Elance Vital Signs Monitor (93500)
    • Elance Central Station (93900)
    • C50
    • Xhibit XC48 Central Station (96102)
    • Xhibit XC4 (96501)
    • AriaTele (96281)
    • ICS (92810, 92842, 92843, 92848, 92876, 92877, 92880, 92881)
    • XprezzNet (96190)
  • Diagnostic Cardiology Portfolio
    • Lifecard (LCF)
    • EVO (EVO)
    • OnTrak (90227)
    • 90217A ABP
    • CardioExpress (98410)
    • Sentinel (98200)
    • Pathfinder SL (98000)
    • Heartwave II (90200)

6.    Additional Information

Spacelabs has adopted a cybersecurity program that is based on National Institute of Standards and Technology’s 800-53 requirements. We continually analyze our products for vulnerabilities and weaknesses in collaboration with customers, regulatory agencies, and external experts to maintain and improve the security of our products. You will find the latest cybersecurity information on our website at https://www.spacelabshealthcare.com/products/security/.

If you have any questions about this Security Advisory, please contact Spacelabs at 1-800-522-7025 and select 2 for Technical Support.

In addition, general inquiries can be submitted using the Contact Us form on our website.

References

The content from the following links is not developed by Spacelabs. These references are provided as authoritative technical references that provide more technical insight on this subject and are provided for reference purposes only.

The information in this document is subject to change without notice.  In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.

This document contains confidential and proprietary language and may not be reproduced or shared with a third party without written permission from Spacelabs. All rights to registrations and trademarks reside with their respective owners.

©2019 Spacelabs Healthcare. All rights reserved.