Security Advisories
bioMérieux continuously monitors the evolution of the global cybersecurity context and assesses vulnerabilities which may affect bioMérieux products. The present security advisories are intended to inform our customers about bioMérieux's response to relevant security events.
Apache Active MQ®
(Latest update: April 3rd, 2024)
Vulnerability
CVE-2023-46604
Background/Overview
bioMérieux is aware of and out of an abundance of caution is continuing to monitor an authenticated vulnerability for NextGen Mirth® Connect, a third-party, open-source healthcare data integration platform. These vulnerabilities impact NextGen Mirth® Connect 4.4.0 and prior versions. If exploited this vulnerability could allow an attacker to gain unauthorized access to or to compromise data.
After learning of the vulnerability, bioMerieux began conducting investigations of each product to determine if any are affected. These ongoing investigations have determined that while many of our products are not affected, some products do include versions of ActiveMQ® that are vulnerable. While bioMerieux has no evidence this vulnerability has been exploited on its products or product features, we recommend that customers follow the recommendations sent to them or reach out to your local bioMerieux representative.
NextGen Mirth® Connect
(Latest update: April 3rd, 2024)
Vulnerability
CVE-2023-43208
Background/Overview
bioMérieux is aware of and out of an abundance of caution is continuing to monitor an authenticated vulnerability for NextGen Mirth® Connect, a third-party, open-source healthcare data integration platform, 4.4.0 and prior versions. If exploited this vulnerability could allow an attacker to gain unauthorized access to or to compromise data.
After learning of the vulnerability, bioMerieux began conducting investigations of each product to determine if any are affected. These ongoing investigations have determined that while many of our products are not affected, some products do include versions of NextGen Mirth® Connect that are vulnerable. While bioMerieux has no evidence this vulnerability has been exploited on its products or product features, we recommend that customers follow the recommendations sent to them or reach out to your local bioMerieux representative.
Access:7 vulnerabilities
(Latest update: March 8th, 2022)
Overview
bioMérieux is aware of, and is monitoring, a set of vulnerabilities, collectively named Access:7, that have recently been disclosed in a third party PTC’s Axeda agent and Axeda Desktop Server that is used by bioMérieux. After learning about the potential vulnerabilities, bioMérieux launched an investigation to determine any potential impact on its products.
The PTC Axeda agent and Axeda Desktop Server are components of bioMérieux’s VILINK® with Axeda service, a secure solution offering remote access, proactive maintenance and remote updates. The Axeda agent is a component of VILINK® solution that is loaded onto bioMérieux computers and uses the TCP port 443 outbound to establish a TLS tunnel with a VILINK® server.. VILINK® with Axeda enables support personnel to diagnose and solve software and instrument issues, support systems proactively and keep systems up-to-date. VILINK® is not a medical device and provides no clinical or industrial diagnostics.
As further described below, bioMérieux’s investigation to date has determined that its VILINK® with Axeda is not affected by four of the seven PTC Axeda vulnerabilities. The three remaining vulnerabilities present a low risk to VILINK® with Axeda.
bioMerieux is continuing to evaluate remediation and controls that eliminate or further reduce any remaining risks, and will update this advisory as necessary.
Please note: VILINK® with Securelink is not affected by this set of vulnerabilities.
Advisory
The following summarizes each known vulnerability that has been disclosed by PTC, along with its CVE number, its unadjusted “base” CVSS 3.1 score, and the contextualized environmental CVSS 3.1 score, which takes into account the environmental variables and other risk mitigants that are specific to the VILINK® with Axeda solution distributed by bioMérieux or its subsidiaries.
Summary Table
(for additional information, see the full CVE descriptions below):
CVE | Applies to VILINK® with Axeda solution | CVSS 3.1 Base Score | CVSS 3.1 Environmental Score |
---|---|---|---|
CVE-2022-25251 | Yes | 9.8 | 6.4 |
CVE-2022-25250 | Yes | 7.5 | 2.3 |
CVE-2022-25252 | Yes | 7.5 | 2.3 |
CVE-2022-25246 | No | 9.8 | Not Affected |
CVE-2022-25247 | No | 9.8 | Not Affected |
CVE-2022-25248 | No | 5.3 | Not Affected |
CVE-2022-25249 | No | 7.5 | Not Affected |
CVE-2022-25251
Description (Provided by CVE):
xGate and EKernel Read and modify agent configuration: The affected product may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product's configuration.
CVSS 3.1 base score: 9.8
Contextualized CVSS 3.1 environmental score: 6.4
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X
bioMérieux Analysis:
The bioMérieux systems have the Windows Firewall activated by default. (Factory setting). TCP Port 3031 is blocked by default through Windows Firewall. Such an exploit would require the threat actor to previously have successfully exploited another vulnerability to gain OS Administrative privileges so as to change the firewall configuration. bioMérieux does not have any indication nor has it been made aware of the existence or exploitation of any such other vulnerability.
Although this vulnerability is initially rated with a CVSS of 9.8, the complexity of attacks on VILINK® with Axeda reduces the risk level to low.
However, if the firewall has been disabled or altered from its default state the base CVSS score of 9.8 remains. Please see the recommendations listed below.
CVE-2022-25250
Description (Provided by CVE):
xGate and EKernel, Shut Down: The affected product may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to shut down a specific service.
CVSS 3.1 base score: 7.5
Contextualized CVSS 3.1 environmental score: 2.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/CR:X/IR:X/AR:L/MAV:L/MAC:H/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X
bioMérieux Analysis:
The bioMérieux systems have the Windows Firewall activated by default. (Factory setting). TCP Port 3031 is blocked by default through Windows Firewall. Therefore, the risk to the VILINK® with Axeda service is low.
Further, this CVE presents no risk to any device or system upon which VILINK® with Axeda is installed.
However, if the firewall has been disabled or altered from its default state the contextualized CVSS environmental score is adjusted to 5.7. Please see the recommendations listed below.
Contextualized CVSS 3.1 environmental score without firewall: 5.7
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/CR:X/IR:X/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
This environmental score takes into account the low Availability requirement of the VILINK® with Axeda service on our devices or systems. The VILINK® with Axeda service unavailability does not affect any device or system’s proper functioning.
CVE-2022-25252
Description (Provided by CVE):
xBase39: The affected product when receiving certain input throws an exception. Services using that function does not handle the exception. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to crash the affected product.
CVSS 3.1 base score: 7.5
Contextualized CVSS 3.1 score: 2.3
bioMérieux Analysis:
The bioMérieux systems have the Windows Firewall activated by default. (Factory setting). TCP Port 3011 is blocked by default through Windows Firewall. Therefore, the risk to the VILINK® with Axeda service is low.
Further, this CVE presents no risk to any device or system upon which VILINK® with Axeda is installed.
However, if the firewall has been disabled or altered from its default state the Contextualized CVSS score is adjusted to 5.7. Please see the recommendations listed below.
Contextualized CVSS 3.1 environmental score without firewall: 5.7
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/CR:X/IR:X/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
This environmental score takes into account the low Availability requirement of the VILINK® with Axeda service on our devices or systems. The VILINK® with Axeda service unavailability does not affect any device or system’s proper functioning.
CVE-2022-25246
Description (Provided by CVE):
AxedaDesktopServer.exe: The affected product uses hardcoded credentials for it's UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of host operating system via Remote Desktop Connection.
CVSS 3.1 base score: 9.8
bioMérieux Analysis: Not Affected
A generic hardcoded password may allow a threat actor in possession of this password to remotely connect to systems running AxedaDesktopServer (port TCP/5920) in its default configuration. This default configuration is however never used in the context of VILINK® Agents.
bioMerieux by design altered the AxedaDeskTopServer.exe configuration and removed the hardcoded credentials.
Additionally VILINK® with Axeda Agents are configured to either require explicit end-user approval or the presentation of OS user credentials (headless systems) before authorizing any remote sessions.
Therefore, VILINK® with Axeda is not affected.
CVE-2022-25247
Description (Provided by CVE):
ERemoteServer, System Access: The affected product may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution.
CVSS 3.1 base score: 9.8
bioMérieux Analysis: Not Affected
ERemoteServer.exe is never executed in VILINK® context of use. TCP ports 3076 and 3077 are blocked by the default firewall settings of commercial systems with Windows Firewall enabled.
Therefore, VILINK® with Axeda is not affected.
CVE-2022-25248
Description (Provided by CVE):
ERemoteServer, Event Text Log: When connecting to a certain port the affected product supplies the event log of the specific service.
CVSS 3.1 base score: 5.3
bioMérieux Analysis: Not Affected
ERemoteServer.exe is never executed in VILINK® context of use. TCP ports 3076 and 3077 are blocked by the default firewall settings of commercial systems with Windows Firewall enabled
Therefore, VILINK® with Axeda is not affected.
CVE-2022-25249
Description (Provided by CVE):
xGate and EKernel, Directory Traversal: The affected product (does not apply to Axeda agent 6.9.2 and 6.9.3) is vulnerable to directory traversal. Which could allow a remote unauthenticated attacker to obtain file system read access via web server
CVSS 3.1 base score: 7.5
bioMérieux Analysis: Not Affected
The vulnerable AxedaWebServer is not embedded in VILINK® with Axeda. The vulnerability is not present.
Therefore, VILINK® with Axeda is not affected.
Recommendations
1. Ensure your firewall is enabled, for more information please see: https://docs.microsoft.com/en-us/windows/security/threat-protection/wind...
2. Check this page periodically for updates
Apache Log4J vulnerabilities
(Latest update: January 26th, 2022)
Background/Overview
bioMérieux is aware of and currently monitoring vulnerabilities in Apache Log4j. These vulnerabilities potentially allow for unauthenticated remote code execution. Log4j is an open source Java logging library developed by the Apache Foundation widely used in many applications and is present, as a dependency, in many services. bioMérieux is currently investigating to determine whether any products including in its BioFire franchise, are affected and will regularly update this advisory as more information becomes available.
Advisory
bioMérieux has assessed that the following products or product features developed or distributed by bioMérieux or its subsidiaries and determined that they are not running the impacted versions of Log4j disclosed as of the date of this Advisory:
- 3P® Software 1.3.3
- APIWEB™ 1.4
- APIWEB™ Standalone
- ASTUTE™
- ATB™ China 2.2.1
- BACT/ALERT® 3D
- BIOFIRE® FILMARRAY 2.0
- BIOFIRE® FILMARRAY TORCH
- BIOFIRE® SYNDROMIC TRENDS
- BIOMÉRIEUX EPISEQ® 16S 1.0
- BIOMÉRIEUX EPISEQ® CS 1.1
- BIOMÉRIEUX EPISEQ® SARS-COV-2 1.0
- CLARION™ / AGILIST™
- COPAN Colibrí™
- COPAN C-Tracer
- COPAN WASP®
- Corepoint Integration Engine
- D-COUNT®
- easyMAG® Win10
- EMAG® SP2
- EVISIGHT® COMPACT
- LABGUARD®
- MINI VIDAS®
- MYLA® Lab Analytics CLOUD 1.2
- OBSERVA®
- SCANRDI®
- SecureLink
- TEMPO® Routine
- TEMPO® Viewer
- VIDAS® 3 1.3 and below
- VIDAS® PC
- VIRTUO® R2
- VITEK® 2 8.x and below
As part of its ongoing investigations, bioMérieux is determining whether other bioMérieux products or product features are running the affected versions of Log4j and testing potential remediation actions if they are. Any remediation actions for potentially exposed bioMérieux products or product features will be made available to customers as soon as possible.
Temporary recommendations
1. When able isolate medical systems on a dedicated network (LAN/VLAN)
a. When isolating the devices follow your local IT governance to ensure required communication is properly secured
2. Never expose medical devices directly to the internet
“How can you improve the security of network infrastructure devices?
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
- Harden network devices.
- Secure access to infrastructure devices.
- Perform out-of-band (OoB) network management.
- Validate integrity of hardware and software.”
Source: https://www.cisa.gov/uscert/ncas/tips/ST18-001
General resources
1. General recommendations for Securing Network Devices:
- https://www.cisa.gov/news-events/news/securing-network-infrastructure-devices
- https://www.iso.org/standard/57939.html
- https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/securing-netw...
- https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/securing-data...
- https://www.fda.gov/about-fda/cdrh-patient-science-and-engagement-progra...
- https://www.mitre.org/publications/technical-papers/medical-device-cyber...
- https://www.fda.gov/medical-devices/digital-health-center-excellence/cyb...
2. General information on Log4j:
Multiple vulnerabilities in Treck TCP/IP stack (Ripple20)
(Latest update: October 14, 2020)
A list of vulnerabilities called “Ripple20” affecting a network software library used in a large variety of connected devices have been recently disclosed by the JSOF security research group. Some of these vulnerabilities affecting this TCP/IP stack developed by Treck Inc. have been confirmed as critical by CERTs (Computer Emergency Response Teams), as they may allow remote code execution or expose sensitive information.
We have evaluated the exposure of bioMérieux products as per our continuous threat monitoring process and have identified that HP SL-M4020ND printers delivered with some of our commercial systems in the past are affected by Ripple20 vulnerabilities when used through network connectivity instead of USB. We recommend our customers verify if they use networked HP SL-M4020ND printers with their bioMérieux systems and to update the printers’ firmware. More information and instruction are available in HP’s security advisory.
No other severe impact has been identified at this point and the present communication will be updated as appropriate.
Please contact your local bioMérieux representative if you have any question.
JSOF research group page: https://www.jsof-tech.com/ripple20/
CERT Coordination Center advisory: https://kb.cert.org/vuls/id/257161
CISA Industrial Control System advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
HP advisory: https://support.hp.com/sk-en/document/c06640149
(Latest update: October 14, 2020)
Microsoft has disclosed a critical vulnerability (CVE-2020-0601) on January 14th 2020 affecting Windows capabilities to verify digital signatures. It can be exploited by a malicisous software, website or email to appear as signed by a trusted authority or by an attacker to decrypt confidential data in transit. Microsoft has released a set of patches as part of January's Windows Updates to correct this vulnerability.
We highly recommend our customers using bioMérieux systems running Windows 10 or Windows Server 2016 operating systems to install January's Windows security updates in accordance with the concerned systems instructions of use.
Please contact your local bioMérieux representative if you have any question.
Microsoft's advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
For any complementary information, please contact your local support representative
Windows CryptoAPI Spoofing Vulnerability
(Latest update: October 14, 2020)
Microsoft has disclosed a critical vulnerability (CVE-2020-0601) on January 14th 2020 affecting Windows capabilities to verify digital signatures. It can be exploited by a malicisous software, website or email to appear as signed by a trusted authority or by an attacker to decrypt confidential data in transit. Microsoft has released a set of patches as part of January's Windows Updates to correct this vulnerability.
We highly recommend our customers using bioMérieux systems running Windows 10 or Windows Server 2016 operating systems to install January's Windows security updates in accordance with the concerned systems instructions of use.
Please contact your local bioMérieux representative if you have any question.
Microsoft's advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
For any complementary information, please contact your local support representative