Date: 13 January 2020
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products

Security Advisory

Product Cybersecurity DejaBlue Vulnerability Impact Assessment Report

1. VULNERABILITY

Microsoft has released updates for several versions of Microsoft Windows which address vulnerabilities in the Remote Desktop Service that are discussed under the name DejaBlue with CVE vulnerabilities identified as CVE-2019-1181 and CVE-2019-1182. The vulnerabilities could allow an unauthenticated remote attacker to access or execute arbitrary code on the target system if the system exposes the RDP service to the network. These vulnerabilities were discovered by Microsoft during hardening of Remote Desktop Services as part of their continual focus on strengthening the security of their products.
Microsoft analysis has shown that the exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers and therefore more likely that exploits could be created.

2. EXPLOIT DESCRIPTION

The remote code execution vulnerability exists in Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

2.1 SCOPE
Microsoft has released security updates to address two remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, in the following operating systems:

• Windows 7 SP1
• Windows Server 2008 R2 SP1
• Windows Server 2012
• Windows 8.1
• Windows Server 2012 R2
• Windows 10
• Windows Server 2016
• Windows Server 2019

An attacker could exploit these vulnerabilities to take control of an affected system. Like CVE-2019-0708—dubbed BlueKeep—these vulnerabilities are considered “wormable” because malware exploiting these vulnerabilities on a system could propagate to other vulnerable systems.

3. IN-SCOPE PRODUCTS

After carefully evaluating this vulnerability’s potential exploitability, it was determined that the following Spacelabs Patient Monitoring and Connectivity (PMC) and Diagnostic Cardiology (DC) products listed below should be in-scope for examination.

3.1 PRODUCTS IMPACTED
After a thorough review of Spacelabs Patient Monitoring and Connectivity and Diagnostic Cardiology products, it was determined that the Spacelabs Xhibit® Telemetry Receiver (XTR) product is the only product that is directly affected and requires action.

While Xhibit Central Station (96102) and Xhibit XC4 (96501) use the Windows operating system, these products do not include RDP, and therefore no action is required. Remote access to Xhibit is only enabled via the customer provided VPN access and integrated into their network which will normally block an attack based on this vulnerability.

Spacelabs sells certain software products that healthcare organizations host on their infrastructure using servers with Windows operating systems. These products are Intesys® Clinical Suite (ICS) (92810), XprezzNet, Sentinel, and Pathfinder SL.
It is possible that these products are being hosted by your organization on Microsoft Windows infrastructure that could be vulnerable to a DejaBlue attack. Customers are strongly advised to patch their equipment if affected. References [2] and [3] provide direct access to Microsoft patching resources.
Spacelabs routinely tests the effects of Microsoft patches on our software products to ensure that the software operation is not compromised by a patch. Patch test information and recommendations are available on our website for verified Spacelabs customers. To register for access, complete the Security Information Request Form. Once your request is approved, you will receive an email from the Spacelabs Helpdesk with login and passcode information. Patch test results will generally be posted within 30-45 days after patches are publicly released. Customers are strongly encouraged to consult these reports routinely and to apply updates immediately for patches marked “Okay to Update” in the reports.
There are some customers who may have received software deliveries pre-installed onto a computing platform. Customers are reminded that after delivery, operation and maintenance of these platforms is the customer’s responsibility. Customers should ensure up to date patching is performed.

The Cambridge Heart HearTwave II Stress ECG/MTWA System (90200) could be vulnerable to this issue, wherein unauthorized modifications to the operating system would result in system failure. However, there would not be a risk of direct injury to the patient. Customers who are concerned about this issue are advised to disconnect these devices from the network.

3.2 SPACELABS PRODUCTS NOT IMPACTED
The impact analysis performed by Spacelabs has confirmed that the following products are not affected by this CVE (Common Vulnerability or Exposure):

• • Patient Monitoring Portfolio
    • Qube (91390)
    • Qube Mini (91389)
    • Xprezzon (91393)
    • Ultraview SL2400 (91369)
    • Ultraview SL 2600 (91370)
    • Ultraview SL 2700 (91387-27)
    • Ultraview SL 2800 (91387-28)
    • Ultraview SL 2900 (91387-29)
    • Ultraview SL3800 (91387-38)
    • Ultraview SL3900 (91387-39)
    • DM3 (91330)
    • Elance Vital Signs Monitor (93500)
    • Elance Central Station (93900)
    • C50
    • Xhibit XC48 Central Station (96102)
    • Xhibit XC4 (96501)
    • AriaTele (96281)
  • Diagnostic Cardiology Portfolio
    • Lifecard (LCF)
    • EVO(EVO)
    • OnTrak (90227)
    • 90217A ABP
    • CardioExpress (98410)

3.3 TECHNICAL DETAILS
CVSS v3.0 Severity and Metrics:

• • Base Score: 9.8 CRITICAL
    Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.0 legend)
    Impact Score: 5.9
    Exploitability Score: 3.9
  • Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope (S): Unchanged
    Confidentiality (C): High
    Integrity (I): High
    Availability (A): High

Information provided here reflects vulnerability classification using the industry standard Common Vulnerability Scoring System (CVSS). Spacelabs uses Version 3 of this standard. If needed, more information can be found at the NIST Vulnerability Metrics site.

3.4 NATURE OF IMPACT
As earlier stated, this vulnerability can be exploited only when an unauthenticated attacker sends specially crafted request to the target system via RDP to cause arbitrary code execution. Exploitation of this vulnerability may cause the operating system or application to become permanently unresponsive, until it is restarted manually, or to exit unexpectedly without automatically recovering.

3.5 OPERATIONAL RISK
Spacelabs has determined that the operational risk from DejaBlue to its Patient Monitoring, Connectivity, and Diagnostic Cardiology products is low.
ICS, XprezzNet, Sentinel and Pathfinder SL are not used for monitoring of patients, so the worst case impact would be access or modification of stored information by a malicious third party, however the data from these software products is only ever used by a clinician as one part of the data required to make a diagnosis. Spacelabs considers this to be a limited risk to patient safety, and would encourage all affected customers to pursue updates of their affected products.
As described above, while the Operating Systems used to host Sentinel and Pathfinder SL could be affected by the DejaBlue vulnerability, these software products do not require the use of RDP. If customers have enabled RDP for use in administering host platforms in their data center, they are strongly encouraged to patch their platforms. Patches are available from Microsoft and have been validated to not impact the operation of the Spacelabs products. They are also encouraged to filter the network traffic they allow as described in the mitigation recommendations in section 4.
As reported in CSN 077-0461-00 rev B (link to CSN), XTR 1.0.2 is has some vulnerability to the BlueKeep variation of this threat. There is no new or additional vulnerability added to the XTR product by the more recently disclosed DejaBlue variations of these vulnerabilities. If you are using XTR v1.0.2, please consult CSN 077-0461-00 rev B for more information.
HearTwave II Stress ECG/MTWA System (90200) uses one of the affected Microsoft Windows operating systems. However, exploitation of the vulnerability would not pose a direct risk to the patient as the system would fail The recommended mitigation for customers using HearTwave II is to keep the systems off the network.

4. MITIGATIONS AND REMEDIATIONS

For each impacted Product/Version, Microsoft recommends that you install the updates for this vulnerability as soon as possible.

• Disable Remote Desktop Services if they are not required: If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
• Enable Network Level Authentication (NLA): You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
• Block TCP port 3389 at the enterprise perimeter firewall: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.