Date: 26 February 2020
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products
Security Advisory
CryptoAPI Product Cybersecurity Vulnerability Impact Assessment Report
Date: 26 February 2020
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products
CryptoAPI Product Cybersecurity Vulnerability Impact Assessment Report
Ref Doc ID | Version | Release Date | Advisory Status | Related CVE(s) | Severity Rating | Operational Risk |
079-0236-00 | A | 26 Feb 2020 | ACTIVE | Microsoft has released updates which fixes the vulnerabilities found in the Elliptic Curve Cryptography (ECC) used in newer versions of Windows as identified in CVE-20200601. | Low | Low |
Microsoft has released updates which fixes the vulnerabilities found in the Elliptic Curve Cryptography (ECC) used in newer versions of Windows as identified in CVE-2020-0601. These vulnerabilities were discovered by the National Security Agency (NSA) via Microsoft’s Coordinated Vulnerability Disclosure process.
These vulnerabilities could be exploited by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.
2.1 SCOPE
Microsoft has released security updates to address two remote code execution vulnerabilities, CVE-2020-0601, in the following operating systems:
• Windows 10
• Windows Server 2016
• Windows Server 2019
3.1 IN SCOPE PRODUCTS
After carefully evaluating this vulnerability’s potential exploitability, it was determined that the following Spacelabs Patient Monitoring and Connectivity (PMC) and Diagnostic Cardiology (DC) products listed below are in-scope for examination as they can be hosted on the relevant operating systems.
Product | Model | Versions | Released | Requisite |
ICS | 92810 92842 92843 92877 92848 92881 |
V5.4 V5.5 |
March 2019 October 2019 |
Windows 10 |
Sentinel | 98200 | V10.x V11.x |
March 2015 | Windows 10 or Windows 2016 |
Pathfinder SL | 98000 | V1.9.x | August 2018 | Windows 10 or Windows 2016 |
3.2 PRODUCTS IMPACT ASSESSMENT
A review of Spacelabs PMC and DC in-scope products has determined that these products do not use the Elliptic Curve Cryptography (ECC) algorithm, therefore they are not affected by this vulnerability.
However, the software products listed above are installed on underlying operating systems that are owned by Healthcare Delivery Organization (HDO). It is possible the vulnerabilities may exist on the machine itself until the proper Microsoft patches are applied.
3.3 TECHNICAL DETAILS
CVSS v3.0 Severity and Metrics:
Information provided here reflects vulnerability classification using the industry standard Common Vulnerability Scoring System (CVSS). Spacelabs uses Version 3 of this standard. If needed, more information can be found on the NIST Vulnerability Metrics site.
3.4 NATURE OF IMPACT
As stated in section 3.2, there is no impact to Spacelabs software products on a standalone basis. However, we recommend that HDOs apply the Microsoft patches listed in CVE-20200601 so that the Spacelabs software products are not impacted by a vulnerability from the HDO operating system.
3.5 SPACELABS PRODUCTS NOT IMPACTED
The impact analysis performed by Spacelabs has confirmed that the following products are not affected by this CVE (Common Vulnerability or Exposure) as they are not hosted on any of the affected Operating Systems:
Spacelabs encourages HDO users and administrators to review the Microsoft Security Advisory for CVE-2020-0601 and apply the appropriate patches. As the vulnerability does not affect Spacelabs software directly, the maintenance of the underlying operating systems is the responsibility of the HDOs. There are no other recommended mitigations specific to Spacelabs products. Spacelabs routinely tests the effects of Microsoft patches on our software products to ensure that the software operation is not compromised by a patch. Patch test information and recommendations are available on our website for verified Spacelabs customers. To register for access, complete the Security Information Request Form. Once your request is approved, you will receive an email from the Spacelabs Helpdesk with login and passcode information. Patch test results will generally be posted within 30-45 days after patches are publicly released. Customers are strongly encouraged to consult these reports routinely and to apply updates immediately for patches marked “Okay to Update” in the reports.
References
[1] CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
[2] NIST Vulnerability Metrics site
Spacelabs will provide communications to its customers about these vulnerabilities.
Version | Release Date | Purpose |
Rev A | February 26, 2020 | Customer Bulletin: CryptoAPI Product Cybersecurity Vulnerability Impact Assessment Report |
The information in this document is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.
This document contains confidential and proprietary language and may not be reproduced or shared with a third party without written permission from Spacelabs. All rights to registrations and trademarks reside with their respective owners.
©2020 Spacelabs Healthcare. All rights reserved.