3.1 PRODUCTS IMPACTED
After a thorough review of Spacelabs Patient Monitoring and Connectivity and Diagnostic Cardiology products, it was determined that the Spacelabs Xhibit® Telemetry Receiver (XTR) product is the only product that is directly affected and requires action.
While Xhibit Central Station (96102) and Xhibit XC4 (96501) use the Windows operating system, these products do not include RDP, and therefore no action is required. Remote access to Xhibit is only enabled via the customer provided VPN access and integrated into their network which will normally block an attack based on this vulnerability.
Spacelabs sells certain software products that healthcare organizations host on their infrastructure using servers with Windows operating systems. These products are Intesys® Clinical Suite (ICS) (92810), XprezzNet, Sentinel, and Pathfinder SL.
It is possible that these products are being hosted by your organization on Microsoft Windows infrastructure that could be vulnerable to a DejaBlue attack. Customers are strongly advised to patch their equipment if affected. References  and  provide direct access to Microsoft patching resources.
Spacelabs routinely tests the effects of Microsoft patches on our software products to ensure that the software operation is not compromised by a patch. Patch test information and recommendations are available on our website for verified Spacelabs customers. To register for access, complete the Security Information Request Form. Once your request is approved, you will receive an email from the Spacelabs Helpdesk with login and passcode information. Patch test results will generally be posted within 30-45 days after patches are publicly released. Customers are strongly encouraged to consult these reports routinely and to apply updates immediately for patches marked “Okay to Update” in the reports.
There are some customers who may have received software deliveries pre-installed onto a computing platform. Customers are reminded that after delivery, operation and maintenance of these platforms is the customer’s responsibility. Customers should ensure up to date patching is performed.
The Cambridge Heart HearTwave II Stress ECG/MTWA System (90200) could be vulnerable to this issue, wherein unauthorized modifications to the operating system would result in system failure. However, there would not be a risk of direct injury to the patient. Customers who are concerned about this issue are advised to disconnect these devices from the network.
3.2 SPACELABS PRODUCTS NOT IMPACTED
The impact analysis performed by Spacelabs has confirmed that the following products are not affected by this CVE (Common Vulnerability or Exposure):
- Patient Monitoring Portfolio
- Qube (91390)
- Qube Mini (91389)
- Xprezzon (91393)
- Ultraview SL2400 (91369)
- Ultraview SL 2600 (91370)
- Ultraview SL 2700 (91387-27)
- Ultraview SL 2800 (91387-28)
- Ultraview SL 2900 (91387-29)
- Ultraview SL3800 (91387-38)
- Ultraview SL3900 (91387-39)
- DM3 (91330)
- Elance Vital Signs Monitor (93500)
- Elance Central Station (93900)
- Xhibit XC48 Central Station (96102)
- Xhibit XC4 (96501)
- AriaTele (96281)
- Diagnostic Cardiology Portfolio
- Lifecard (LCF)
- OnTrak (90227)
- 90217A ABP
- CardioExpress (98410)
3.3 TECHNICAL DETAILS
CVSS v3.0 Severity and Metrics:
- Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.0 legend)
Impact Score: 5.9
Exploitability Score: 3.9
- Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Information provided here reflects vulnerability classification using the industry standard Common Vulnerability Scoring System (CVSS). Spacelabs uses Version 3 of this standard. If needed, more information can be found at the NIST Vulnerability Metrics site.
3.4 NATURE OF IMPACT
As earlier stated, this vulnerability can be exploited only when an unauthenticated attacker sends specially crafted request to the target system via RDP to cause arbitrary code execution. Exploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.
3.5 OPERATIONAL RISK
Spacelabs has determined that the operational risk from DejaBlue to its Patient Monitoring, Connectivity, and Diagnostic Cardiology products is low.
ICS, XprezzNet, Sentinel and Pathfinder SL are not used for monitoring of patients, so the worst case impact would be access or modification of stored information by a malicious third party, however the data from these software products is only ever used by a clinician as one part of the data required to make a diagnosis. Spacelabs considers this to be a limited risk to patient safety, and would encourage all affected customers to pursue updates of their affected products.
As described above, while the Operating Systems used to host Sentinel and Pathfinder SL could be affected by the DejaBlue vulnerability, these software products do not require the use of RDP. If customers have enabled RDP for use in administering host platforms in their data center, they are strongly encouraged to patch their platforms. Patches are available from Microsoft and have been validated to not impact the operation of the Spacelabs products. They are also encouraged to filter the network traffic they allow as described in the mitigation recommendations in section 4.
As reported in CSN 077-0461-00 rev B (link to CSN), XTR 1.0.2 is has some vulnerability to the BlueKeep variation of this threat. There is no new or additional vulnerability added to the XTR product by the more recently disclosed DejaBlue variations of these vulnerabilities. If you are using XTR v1.0.2, please consult CSN 077-0461-00 rev B for more information.
HearTwave II Stress ECG/MTWA System (90200) uses one of the affected Microsoft Windows operating systems. However, exploitation of the vulnerability would not pose a direct risk to the patient as the system would fail The recommended mitigation for customers using HearTwave II is to keep the systems off the network.
4. MITIGATIONS AND REMEDIATIONS
For each impacted Product/Version, Microsoft recommends that you install the updates for this vulnerability as soon as possible.
- Disable Remote Desktop Services if they are not required: If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
- Enable Network Level Authentication (NLA): You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
- Block TCP port 3389 at the enterprise perimeter firewall: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.