Español
Français
Deutsch
Italiano
Português
TeamUp Strategies
Runway Architecture
Decisive Intelligence
Clinical Informatics
Patient Measurement
Perspectives
Cardiology
Acute Care
Private Clinic
Emergency department
Intensive care unit
Neonatal intensive care unit
Perioperative care
Keeping caregivers safe
Clinical education
UK Pathfinder SL and Lifescreen Pro user training
eLearning
Technical training
Open a support ticket
Product manuals
Service contract
Cleaning instructions
Supplier change request
Contact us
Regional contacts
Our heritage
Senior management
News and Events
Patents and trademarks
Quality and ISO certificates
Careers
Terms and policiesDate: 26 February 2020
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products
Security Advisory
CryptoAPI Product Cybersecurity Vulnerability Impact Assessment Report
| Ref Doc ID | Version | Release Date | Advisory Status | Related CVE(s) | Severity Rating | Operational Risk |
| 079-0236-00 | A | 26 Feb 2020 | ACTIVE | Microsoft has released updates which fixes the vulnerabilities found in the Elliptic Curve Cryptography (ECC) used in newer versions of Windows as identified in CVE-20200601. | Low | Low |
1. VULNERABILITY
Microsoft has released updates which fixes the vulnerabilities found in the Elliptic Curve Cryptography (ECC) used in newer versions of Windows as identified in CVE-2020-0601. These vulnerabilities were discovered by the National Security Agency (NSA) via Microsoft’s Coordinated Vulnerability Disclosure process.
2. EXPLOIT DESCRIPTION
These vulnerabilities could be exploited by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.
2.1 SCOPE
Microsoft has released security updates to address two remote code execution vulnerabilities, CVE-2020-0601, in the following operating systems:
• Windows 10
• Windows Server 2016
• Windows Server 2019
3. EXAMINATION OF SPACELABS PRODUCTS
3.1 IN SCOPE PRODUCTS
After carefully evaluating this vulnerability’s potential exploitability, it was determined that the following Spacelabs Patient Monitoring and Connectivity (PMC) and Diagnostic Cardiology (DC) products listed below are in-scope for examination as they can be hosted on the relevant operating systems.
| Product | Model | Versions | Released | Requisite |
| ICS | 92810 92842 92843 92877 92848 92881 |
V5.4 V5.5 |
March 2019 October 2019 |
Windows 10 |
| Sentinel | 98200 | V10.x V11.x |
March 2015 | Windows 10 or Windows 2016 |
| Pathfinder SL | 98000 | V1.9.x | August 2018 | Windows 10 or Windows 2016 |
3.2 PRODUCTS IMPACT ASSESSMENT
A review of Spacelabs PMC and DC in-scope products has determined that these products do not use the Elliptic Curve Cryptography (ECC) algorithm, therefore they are not affected by this vulnerability.
However, the software products listed above are installed on underlying operating systems that are owned by Healthcare Delivery Organization (HDO). It is possible the vulnerabilities may exist on the machine itself until the proper Microsoft patches are applied.
3.3 TECHNICAL DETAILS
CVSS v3.0 Severity and Metrics:
- Base Score: 8.1 High
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Impact Score: 5.2
Exploitability Score: 2.8 - Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): None
Information provided here reflects vulnerability classification using the industry standard Common Vulnerability Scoring System (CVSS). Spacelabs uses Version 3 of this standard. If needed, more information can be found on the NIST Vulnerability Metrics site.
3.4 NATURE OF IMPACT
As stated in section 3.2, there is no impact to Spacelabs software products on a standalone basis. However, we recommend that HDOs apply the Microsoft patches listed in CVE-20200601 so that the Spacelabs software products are not impacted by a vulnerability from the HDO operating system.
3.5 SPACELABS PRODUCTS NOT IMPACTED
The impact analysis performed by Spacelabs has confirmed that the following products are not affected by this CVE (Common Vulnerability or Exposure) as they are not hosted on any of the affected Operating Systems:
- Patient Monitoring Portfolio
- Qube (91390)
- Qube Mini (91389)
- Xprezzon (91393)
- Ultraview SL2400 (91369)
- Ultraview SL 2600 (91370)
- Ultraview SL 2700 (91387-27)
- Ultraview SL 2800 (91387-28)
- Ultraview SL 2900 (91387-29)
- Ultraview SL3800 (91387-38)
- Ultraview SL3900 (91387-39)
- DM3 (91330)
- Elance Vital Signs Monitor (93500)
- Elance Central Station (93900)
- Comen C50
- Xhibit XC48 Central Station (96102)
- Xhibit XC4 (96501)
- AriaTele (96281)
- XprezzNet (96190)
- Diagnostic Cardiology Portfolio
- Lifecard (LCF)
- EVO (EVO)
- OnTrak (90227)
- 90217A ABP
- CardioExpress (98410)
- Heartwave II (90200)
4. MITIGATIONS AND REMEDIATIONS
Spacelabs encourages HDO users and administrators to review the Microsoft Security Advisory for CVE-2020-0601 and apply the appropriate patches. As the vulnerability does not affect Spacelabs software directly, the maintenance of the underlying operating systems is the responsibility of the HDOs. There are no other recommended mitigations specific to Spacelabs products. Spacelabs routinely tests the effects of Microsoft patches on our software products to ensure that the software operation is not compromised by a patch. Patch test information and recommendations are available on our website for verified Spacelabs customers. To register for access, complete the Security Information Request Form. Once your request is approved, you will receive an email from the Spacelabs Helpdesk with login and passcode information. Patch test results will generally be posted within 30-45 days after patches are publicly released. Customers are strongly encouraged to consult these reports routinely and to apply updates immediately for patches marked “Okay to Update” in the reports.
References
[1] CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
[2] NIST Vulnerability Metrics site
5. ADDITIONAL INFORMATION
Spacelabs will provide communications to its customers about these vulnerabilities.
- A CSN (Customer Service Notice) will be created to inform HDOs of the value of patching affected operating systems.
- The CSN will be:
- Available in the cybersecurity area of the Spacelabs web site.
- Distributed to the CSN distribution list via email.
- Posted to ICS-CERT and UK-CERT to make more HDOs aware of these recommendations.
6. DOCUMENT HISTORY
| Version | Release Date | Purpose |
| Rev A | February 26, 2020 | Customer Bulletin: CryptoAPI Product Cybersecurity Vulnerability Impact Assessment Report |
7. TERMS OF USE
The information in this document is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.
This document contains confidential and proprietary language and may not be reproduced or shared with a third party without written permission from Spacelabs. All rights to registrations and trademarks reside with their respective owners.
©2020 Spacelabs Healthcare. All rights reserved.