{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" } ], "publisher": { "category": "coordinator", "contact_details": "CISAservicedesk@cisa.dhs.gov", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSMA-17-241-01 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-241-01.json" }, { "category": "self", "summary": "ICS Advisory ICSMA-17-241-01 Web Version", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01" } ], "title": "ICSMA-17-241-01_Abbott Laboratories ' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities", "tracking": { "current_release_date": "2017-08-29T00:00:00.000000Z", "generator": { "engine": { "name": "CISA USCert CSAF Generator", "version": "1" } }, "id": "ICSMA-17-241-01", "initial_release_date": "2017-08-29T00:00:00.000000Z", "revision_history": [ { "date": "2017-08-29T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSMA-17-241-01 Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "< august 28", "product": { "name": "Accent MRI: manufactured prior to August 28", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "Accent MRI" }, { "branches": [ { "category": "product_version_range", "name": "< august 28", "product": { "name": "Assurity/Allure: manufactured prior to August 28", "product_id": "CSAFPID-0002" } } ], "category": "product_name", "name": "Assurity/Allure" }, { "branches": [ { "category": "product_version_range", "name": "< august 28", "product": { "name": "Assurity MRI: manufactured prior to August 28", "product_id": "CSAFPID-0003" } } ], "category": "product_name", "name": "Assurity MRI" }, { "branches": [ { "category": "product_version_range", "name": "< august 28", "product": { "name": "Accent/Anthem: manufactured prior to August 28", "product_id": "CSAFPID-0004" } } ], "category": "product_name", "name": "Accent/Anthem" } ], "category": "vendor", "name": "Abbott Laboratories" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-12712", "cwe": { "id": "CWE-287", "name": "Improper Authentication" }, "notes": [ { "category": "summary", "text": "The pacemaker 's authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "remediations": [ { "category": "mitigation", "details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CVE-2017-12712" }, { "cve": "CVE-2017-12716", "cwe": { "id": "CWE-311", "name": "Missing Encryption of Sensitive Data" }, "notes": [ { "category": "summary", "text": "The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CVE-2017-12716" }, { "cve": "CVE-2017-12714", "cwe": { "id": "CWE-920", "name": "Improper Restriction of Power Consumption" }, "notes": [ { "category": "summary", "text": "The pacemakers do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] }, "references": [ { "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "remediations": [ { "category": "mitigation", "details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003", "CSAFPID-0004" ] } ], "title": "CVE-2017-12714" } ] }