CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
37.4%
CVSS v3 8.3
ATTENTION: Exploitable with adjacent access/low skill level to exploit
--------- Begin Update A Part 1 of 3 --------
--------- End Update A Part 1 of 3 --------
This updated advisory is a follow-up to the original advisory titled ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices that was published November 6, 2018 on the NCCIC/ICS-CERT website.
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code.
--------- Begin Update A Part 2 of 3 --------
The following versions of Roche Diagnostics handheld medical devices are affected:
--------- End Update A Part 2 of 3 --------
Accu-Chek Units Not affected:
4.2.1 IMPROPER AUTHENTICATION CWE-287
Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.
CVE-2018-18561 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Affected products:
4.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating systems.
CVE-2018-18562 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).
Affected products:
4.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
A vulnerability in the software update mechanism allows an attacker in adjacent network to overwrite arbitrary files on the system through a crafted update package.
CVE-2018-18563 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).
Affected products:
Accu-Chek Inform II Instrument – all versions before 03.06.00 (serial number below 14000) / 04.03.00 (serial Number above 14000)
4.2.4 IMPROPER ACCESS CONTROL CWE-284
Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted message.
CVE-2018-18564 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected Products:
4.2.5 IMPROPER ACCESS CONTROL CWE-284
Improper access control allows attackers in the adjacent network to change the instrument configuration.
CVE-2018-18565 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H).
Affected products:
--------- Begin Update A Part 3 of 3 --------
--------- End Update A Part 3 of 3 --------
Niv Yehezkel of Medigate reported these vulnerabilities to Roche.
Roche recommends the following mitigation procedures for connected devices (Ethernet and Wi-Fi):
For non-connected devices:
For all affected products, Roche Diagnostic has scheduled release of new software updates with availability beginning November 2018.
For further information or concerns, please contact a local Roche Diagnostics office at the following location:
<https://www.roche.com/about/business/roche_worldwide.htm>
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18561
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18562
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18563
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18564
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18565
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/434.html
cwe.mitre.org/data/definitions/78.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Roche%20Diagnostics%20Point%20of%20Care%20Handheld%20Medical%20Devices%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01&title=Roche%20Diagnostics%20Point%20of%20Care%20Handheld%20Medical%20Devices%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01
www.oig.dhs.gov/
www.roche.com/about/business/roche_worldwide.htm
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Roche%20Diagnostics%20Point%20of%20Care%20Handheld%20Medical%20Devices%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-18-310-01
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
37.4%