Updated: 29 October 2019

Operational Risk Assessment Summary

Spacelabs considers the operational risk to its devices from an Urgent-11 attack to be low. In our review of the impact of this threat, due to the fact that a properly configured firewall in the hospital network would mitigate the likelihood of an attack from outside the organization, and since remote code execution would require that a bad actor already be positioned within the hospital network as a result of a prior attack, that there is only a limited chance that a device could be compromised.

In the event that a Spacelabs monitor is compromised due to an attack exploiting Urgent-11 vulnerabilities, common hospital protocol involves the use of multiple parameters and physical assessment of patients in determining treatment, thus decreasing the likelihood of mistreatment. There are also typically redundant alarm systems in place to decrease the likelihood of delay in treatment.

Spacelabs is developing monitor software patches that will soon be available to keep an attack from using the identified operating system vulnerabilities. In the meantime, customers are encouraged to ensure the hospital maintain a secure network firewall to protect its products and data. Enterprise security firm Armis has posted a report listing a number of mitigations that can be put in place.  Please see  https://armis.com/urgent11/ for details.

Updated: 17 October 2019

Technical Advisory

Spacelabs Urgent-11 Technical Advisory is available to registered Spacelabs customers.

Updated: 30 September 2019

Security Advisory

VxWorks is a Real Time Operating System developed and supported by WindRiver Corporation. VxWorks is widely used and can be found in thousands of models of equipment in the aerospace, defense, automotive, medical, networking and communications industries. VxWorks is also used in certain Spacelabs Healthcare products.

In a coordinated vulnerability disclosure process, on July 29, 2019, Armis, an enterprise security firm, and WindRiver publicized information regarding a set of 11 vulnerabilities in the IPNet service that is in the VxWorks Operating System. These eleven vulnerabilities are known collectively by the name “Urgent-11”.

VxWorks TCP/IP Stack (IPnet) Vulnerabilities
Our Spacelabs product engineering and security teams evaluated the impact of the Urgent-11 vulnerabilities on Spacelabs products, including a technical impact assessment and review of risk to patient safety. During this process, we have determined that some of our patient monitors are running vulnerable versions of the Operating System. It is important that you review the following information carefully to identify whether your Spacelabs medical devices are affected, what risks are associated with the vulnerabilities, and what you can do to remediate those risks.

Affected Products
Spacelabs has determined that the following products could be impacted by these vulnerabilities.

• • Current Spacelabs bedside monitors (Xprezzon, Qube, Qube Mini), which use VxWorks 6.6.
  • Older Ultraview Spacelabs bedside monitors which used VxWorks 6.6 as of their final release.
  • Older Ultraview Spacelabs central monitors which used VxWorks 6.6 as of their final release.

VxWorks versions prior to 6.5 are not affected by the Urgent-11 vulnerabilities.

Impacted Product Versions

Vulnerability Impacts
As discussed above, Urgent-11 is a set of 11 vulnerabilities found to affect VxWorks’ TCP/IP stack (IPnet). These vulnerabilities could be used to compromise a Spacelabs product in the following ways:

• Monitor Reset: The most likely risk from these vulnerabilities is that an attack could force the Spacelabs monitor to reboot. The monitor would automatically restart if it remains powered on (standard behavior). Alarm settings would persist and monitoring would resume after the system reset. This entire process (recovery and restart) would be completed within 30 seconds or less.
• Denial of Service: While less likely, it could be possible to create a cascade of monitor resets directed at the same monitor. This would result in loss of patient monitoring. This attack would be evident to the healthcare staff, and in response, the monitor could be taken off-line from the network to stop the attack. By being taken off-line there would be a loss of communication to centralized monitoring services such a central station or ICS, but local patient monitoring would continue at the device level.
• Remote Code Execution: In limited scenarios, it may be possible to craft an attack using one of the Urgent-11 vulnerabilities where the attacker can make different information appear on monitors than is accurate for the patient. This vulnerability creates the highest operational risk, but it would be a very complex attack to implement. The correct patient information remains on remote monitors, in ICS, and in the EHR.

Armis is a security research firm that identified the Urgent-11 vulnerabilities. Armis has stated it will not release specifics about the way they constructed the attacks that illustrate the vulnerabilities. These vulnerabilities have not been weaponized at this time.

Our analysis has shown that it is unlikely that an attack that makes use of the vulnerabilities would impact clinical use. To date, Spacelabs Healthcare has received no complaints involving clinical use that we have been able to associate with Urgent-11.

Recommendations
Spacelabs Healthcare is developing specific patches for each of our impacted products. Existing customers can sign up to our customer portal for access to our latest patches at (www.spacelabshealthcare.com/products/security/). We expect to release the patch for our current products by the end of October 2019. The patch for our older UVSL products that are affected will be released shortly thereafter.

If you need help in identifying the Spacelabs products that are impacted, contact Spacelabs Technical Support at 800-522-7025.

It is possible to block the potential for attacks that use these vulnerabilities via firewall rules that filter specific network traffic. Updated and monitored hospital firewalls can mitigate many of the attack vectors and thus not allow the Spacelabs devices to become compromised.

The enterprise security firm Armis has posted a report on its website listing a number of mitigations that can be put in place.  Please see https://armis.com/urgent11/.

More information:
Spacelabs is publishing a more in depth technical advisory of the analysis of these vulnerabilities at the ICS-CERT website (www.us-cert.gov/ics). This report is being published under TPS protocol and can be accessed via validated medical device owners at the CISA ICS-CERT site (https://www.us-cert.gov/ics).

This information is also being made available to registered users of the Spacelabs Cybersecurity Portal (www.spacelabshealthcare.com/products/security/).  Please refer to these sites for the latest information on identified threats and Spacelabs product mitigations.