Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2017-12712 (GCVE-0-2017-12712)
Vulnerability from cvelistv5 – Published: 2018-04-25 13:00 – Updated: 2024-09-17 03:48
VLAI
EPSS
Summary
The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper authentication CWE-287
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | x_refsource_MISC |
| http://www.securityfocus.com/bid/100523 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Abbott Laboratories | Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI. |
Affected:
All versions of pacemakers manufactured prior to August 28, 2017
|
Date Public
2017-08-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"vendor": "Abbott Laboratories",
"versions": [
{
"status": "affected",
"version": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
],
"datePublic": "2017-08-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper authentication CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-26T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-08-29T00:00:00",
"ID": "CVE-2017-12712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"version": {
"version_data": [
{
"version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
}
]
},
"vendor_name": "Abbott Laboratories"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authentication CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-12712",
"datePublished": "2018-04-25T13:00:00.000Z",
"dateReserved": "2017-08-09T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:48:37.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2017-12712",
"date": "2026-05-27",
"epss": "0.0038",
"percentile": "0.59598"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f0b.0e.7e\", \"matchCriteriaId\": \"BFF25F4E-CF32-41A5-9AEC-5CF2A1D70732\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7261AA88-1BD6-4CDF-AFC0-31FD7F52B9E7\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f0b.0e.7e\", \"matchCriteriaId\": \"D6C940D7-5EA3-4D42-8FFE-0C38D2D0065E\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4B28402F-D4DF-448B-8ED3-676E0B438331\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f10.08.6c\", \"matchCriteriaId\": \"BFC7CD6D-57F8-4479-A25C-9B9937FD3793\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C752B8AA-8990-43DE-AB8B-57329E1E0AE1\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f10.08.6c\", \"matchCriteriaId\": \"3CCA1805-9253-4267-ACE9-B9F3BBB1549A\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"794620AF-C8D5-4511-B4AF-5E8B4347F558\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f14.07.80\", \"matchCriteriaId\": \"0BF37E32-78D2-48CD-BF19-17533E3CB5DF\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"83B2EBFC-FB8A-402E-8C5C-118D4362B143\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f14.07.80\", \"matchCriteriaId\": \"858B3E80-0179-4AD7-BC32-3AA87A7341C6\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"65B30268-EC36-42C3-8028-D345DC22A3DC\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"f17.01.49\", \"matchCriteriaId\": \"95E52CB5-DB4A-42FE-B963-CE891D3C1A95\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"43025EB2-8644-4BC5-BC3D-D67305C504B7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.\"}, {\"lang\": \"es\", \"value\": \"El algoritmo de autenticaci\\u00f3n en los marcapasos de Abbott Laboratories fabricados antes del 28 de agosto de 2017, que est\\u00e1 relacionado con una clave de autenticaci\\u00f3n y una marca de tiempo, puede comprometerse u omitirse. Esto puede permitir que un atacante cercano env\\u00ede comandos no autorizados al marcapasos mediante comunicaciones de radiofrecuencia. Puntuaci\\u00f3n base de CVSS v3: 7.5, cadena de vector CVSS: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott ha desarrollado una actualizaci\\u00f3n de firmware para ayudar a mitigar las vulnerabilidades identificadas.\"}]",
"id": "CVE-2017-12712",
"lastModified": "2024-11-21T03:10:04.707",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 8.3, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 6.5, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-04-25T13:29:00.227",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/100523\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"http://www.securityfocus.com/bid/100523\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-12712\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-04-25T13:29:00.227\",\"lastModified\":\"2024-11-21T03:10:04.707\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.\"},{\"lang\":\"es\",\"value\":\"El algoritmo de autenticaci\u00f3n en los marcapasos de Abbott Laboratories fabricados antes del 28 de agosto de 2017, que est\u00e1 relacionado con una clave de autenticaci\u00f3n y una marca de tiempo, puede comprometerse u omitirse. Esto puede permitir que un atacante cercano env\u00ede comandos no autorizados al marcapasos mediante comunicaciones de radiofrecuencia. Puntuaci\u00f3n base de CVSS v3: 7.5, cadena de vector CVSS: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott ha desarrollado una actualizaci\u00f3n de firmware para ayudar a mitigar las vulnerabilidades identificadas.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":8.3,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":6.5,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f0b.0e.7e\",\"matchCriteriaId\":\"BFF25F4E-CF32-41A5-9AEC-5CF2A1D70732\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7261AA88-1BD6-4CDF-AFC0-31FD7F52B9E7\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f0b.0e.7e\",\"matchCriteriaId\":\"D6C940D7-5EA3-4D42-8FFE-0C38D2D0065E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B28402F-D4DF-448B-8ED3-676E0B438331\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f10.08.6c\",\"matchCriteriaId\":\"BFC7CD6D-57F8-4479-A25C-9B9937FD3793\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C752B8AA-8990-43DE-AB8B-57329E1E0AE1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f10.08.6c\",\"matchCriteriaId\":\"3CCA1805-9253-4267-ACE9-B9F3BBB1549A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"794620AF-C8D5-4511-B4AF-5E8B4347F558\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f14.07.80\",\"matchCriteriaId\":\"0BF37E32-78D2-48CD-BF19-17533E3CB5DF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83B2EBFC-FB8A-402E-8C5C-118D4362B143\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f14.07.80\",\"matchCriteriaId\":\"858B3E80-0179-4AD7-BC32-3AA87A7341C6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65B30268-EC36-42C3-8028-D345DC22A3DC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f17.01.49\",\"matchCriteriaId\":\"95E52CB5-DB4A-42FE-B963-CE891D3C1A95\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43025EB2-8644-4BC5-BC3D-D67305C504B7\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100523\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/100523\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
CNVD-2017-23901
Vulnerability from cnvd - Published: 2017-08-30
VLAI
Title
Abbott Laboratories多款起搏器产品未授权访问漏洞
Description
Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室(Abbott Laboratories)的植入式医疗设备。
Abbott Laboratories多款起搏器产品存在未授权访问漏洞,涉及身份验证密钥和时间戳的起搏器认证算法可能会受到损害或绕过,导致附近的攻击者通过RF通信向起搏器发出未经授权的命令。
Severity
中
Patch Name
Abbott Laboratories多款起搏器产品未授权访问漏洞的补丁
Patch Description
Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室(Abbott Laboratories)的植入式医疗设备。
Abbott Laboratories多款起搏器产品存在未授权访问漏洞,涉及身份验证密钥和时间戳的起搏器认证算法可能会受到损害或绕过,导致附近的攻击者通过RF通信向起搏器发出未经授权的命令。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可联系供应商获得补丁信息: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
Reference
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
Impacted products
| Name | ['Abbott Laboratories Accent <August 28,2017', 'Abbott Laboratories Anthem <August 28,2017', 'Abbott Laboratories Accent MRI <August 28,2017', 'Abbott Laboratories Assurity <August 28,2017', 'Abbott Laboratories Allure <August 28,2017', 'Abbott Laboratories Assurity MRI <August 28,2017'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2017-12712"
}
},
"description": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u6d89\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u7684\u8d77\u640f\u5668\u8ba4\u8bc1\u7b97\u6cd5\u53ef\u80fd\u4f1a\u53d7\u5230\u635f\u5bb3\u6216\u7ed5\u8fc7\uff0c\u5bfc\u81f4\u9644\u8fd1\u7684\u653b\u51fb\u8005\u901a\u8fc7RF\u901a\u4fe1\u5411\u8d77\u640f\u5668\u53d1\u51fa\u672a\u7ecf\u6388\u6743\u7684\u547d\u4ee4\u3002",
"discovererName": "unknow",
"formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-23901",
"openTime": "2017-08-30",
"patchDescription": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u6d89\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5bc6\u94a5\u548c\u65f6\u95f4\u6233\u7684\u8d77\u640f\u5668\u8ba4\u8bc1\u7b97\u6cd5\u53ef\u80fd\u4f1a\u53d7\u5230\u635f\u5bb3\u6216\u7ed5\u8fc7\uff0c\u5bfc\u81f4\u9644\u8fd1\u7684\u653b\u51fb\u8005\u901a\u8fc7RF\u901a\u4fe1\u5411\u8d77\u640f\u5668\u53d1\u51fa\u672a\u7ecf\u6388\u6743\u7684\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Abbott Laboratories Accent \u003cAugust 28\uff0c2017",
"Abbott Laboratories Anthem \u003cAugust 28\uff0c2017",
"Abbott Laboratories Accent MRI \u003cAugust 28\uff0c2017",
"Abbott Laboratories Assurity \u003cAugust 28\uff0c2017",
"Abbott Laboratories Allure \u003cAugust 28\uff0c2017",
"Abbott Laboratories Assurity MRI \u003cAugust 28\uff0c2017"
]
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"serverity": "\u4e2d",
"submitTime": "2017-08-30",
"title": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e"
}
FKIE_CVE-2017-12712
Vulnerability from fkie_nvd - Published: 2018-04-25 13:29 - Updated: 2024-11-21 03:10
Severity
Summary
The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/100523 | Third Party Advisory, VDB Entry | |
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100523 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abbott | accent_firmware | * | |
| abbott | accent | - | |
| abbott | anthem_firmware | * | |
| abbott | anthem | - | |
| abbott | accent_mri_firmware | * | |
| abbott | accent_mri | - | |
| abbott | accent_st_firmware | * | |
| abbott | accent_st | - | |
| abbott | assurity_firmware | * | |
| abbott | assurity | - | |
| abbott | allure_firmware | * | |
| abbott | allure | - | |
| abbott | assurity_mri_firmware | * | |
| abbott | assurity_mri | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFF25F4E-CF32-41A5-9AEC-5CF2A1D70732",
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7261AA88-1BD6-4CDF-AFC0-31FD7F52B9E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6C940D7-5EA3-4D42-8FFE-0C38D2D0065E",
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4B28402F-D4DF-448B-8ED3-676E0B438331",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFC7CD6D-57F8-4479-A25C-9B9937FD3793",
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C752B8AA-8990-43DE-AB8B-57329E1E0AE1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CCA1805-9253-4267-ACE9-B9F3BBB1549A",
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*",
"matchCriteriaId": "794620AF-C8D5-4511-B4AF-5E8B4347F558",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BF37E32-78D2-48CD-BF19-17533E3CB5DF",
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83B2EBFC-FB8A-402E-8C5C-118D4362B143",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "858B3E80-0179-4AD7-BC32-3AA87A7341C6",
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*",
"matchCriteriaId": "65B30268-EC36-42C3-8028-D345DC22A3DC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95E52CB5-DB4A-42FE-B963-CE891D3C1A95",
"versionEndExcluding": "f17.01.49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43025EB2-8644-4BC5-BC3D-D67305C504B7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
},
{
"lang": "es",
"value": "El algoritmo de autenticaci\u00f3n en los marcapasos de Abbott Laboratories fabricados antes del 28 de agosto de 2017, que est\u00e1 relacionado con una clave de autenticaci\u00f3n y una marca de tiempo, puede comprometerse u omitirse. Esto puede permitir que un atacante cercano env\u00ede comandos no autorizados al marcapasos mediante comunicaciones de radiofrecuencia. Puntuaci\u00f3n base de CVSS v3: 7.5, cadena de vector CVSS: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott ha desarrollado una actualizaci\u00f3n de firmware para ayudar a mitigar las vulnerabilidades identificadas."
}
],
"id": "CVE-2017-12712",
"lastModified": "2024-11-21T03:10:04.707",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-25T13:29:00.227",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FGXH-JXXP-VJ3C
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details
The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Severity
8.8 (High)
{
"affected": [],
"aliases": [
"CVE-2017-12712"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-25T13:29:00Z",
"severity": "HIGH"
},
"details": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GHSA-fgxh-jxxp-vj3c",
"modified": "2022-05-13T01:37:46Z",
"published": "2022-05-13T01:37:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12712"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2017-12712
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-12712",
"description": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GSD-2017-12712"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-12712"
],
"details": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GSD-2017-12712",
"modified": "2023-12-13T01:21:03.587064Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-08-29T00:00:00",
"ID": "CVE-2017-12712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"version": {
"version_data": [
{
"version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
}
]
},
"vendor_name": "Abbott Laboratories"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authentication CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f17.01.49",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-12712"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-10-09T23:23Z",
"publishedDate": "2018-04-25T13:29Z"
}
}
}
ICSMA-17-241-01
Vulnerability from csaf_cisa - Published: 2017-08-29 00:00 - Updated: 2017-08-29 00:00Summary
ICSMA-17-241-01_Abbott Laboratories ' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
7.5 (High)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Accent MRI: manufactured prior to August 28
Abbott Laboratories / Accent MRI
|
< august 28 |
Mitigation
|
|
|
Assurity/Allure: manufactured prior to August 28
Abbott Laboratories / Assurity/Allure
|
< august 28 |
Mitigation
|
|
|
Assurity MRI: manufactured prior to August 28
Abbott Laboratories / Assurity MRI
|
< august 28 |
Mitigation
|
|
|
Accent/Anthem: manufactured prior to August 28
Abbott Laboratories / Accent/Anthem
|
< august 28 |
Mitigation
|
CWE-311
- Missing Encryption of Sensitive Data
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Accent MRI: manufactured prior to August 28
Abbott Laboratories / Accent MRI
|
< august 28 |
Mitigation
|
|
|
Assurity/Allure: manufactured prior to August 28
Abbott Laboratories / Assurity/Allure
|
< august 28 |
Mitigation
|
|
|
Assurity MRI: manufactured prior to August 28
Abbott Laboratories / Assurity MRI
|
< august 28 |
Mitigation
|
|
|
Accent/Anthem: manufactured prior to August 28
Abbott Laboratories / Accent/Anthem
|
< august 28 |
Mitigation
|
5.3 (Medium)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Accent MRI: manufactured prior to August 28
Abbott Laboratories / Accent MRI
|
< august 28 |
Mitigation
|
|
|
Assurity/Allure: manufactured prior to August 28
Abbott Laboratories / Assurity/Allure
|
< august 28 |
Mitigation
|
|
|
Assurity MRI: manufactured prior to August 28
Abbott Laboratories / Assurity MRI
|
< august 28 |
Mitigation
|
|
|
Accent/Anthem: manufactured prior to August 28
Abbott Laboratories / Accent/Anthem
|
< august 28 |
Mitigation
|
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "CISAservicedesk@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-17-241-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-241-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-17-241-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01"
}
],
"title": "ICSMA-17-241-01_Abbott Laboratories \u0027 Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities",
"tracking": {
"current_release_date": "2017-08-29T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA USCert CSAF Generator",
"version": "1"
}
},
"id": "ICSMA-17-241-01",
"initial_release_date": "2017-08-29T00:00:00.000000Z",
"revision_history": [
{
"date": "2017-08-29T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-17-241-01 Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Accent MRI: manufactured prior to August 28",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Accent MRI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Assurity/Allure: manufactured prior to August 28",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Assurity/Allure"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Assurity MRI: manufactured prior to August 28",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "Assurity MRI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Accent/Anthem: manufactured prior to August 28",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Accent/Anthem"
}
],
"category": "vendor",
"name": "Abbott Laboratories"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-12712",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The pacemaker \u0027s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12712"
},
{
"cve": "CVE-2017-12716",
"cwe": {
"id": "CWE-311",
"name": "Missing Encryption of Sensitive Data"
},
"notes": [
{
"category": "summary",
"text": "The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12716"
},
{
"cve": "CVE-2017-12714",
"cwe": {
"id": "CWE-920",
"name": "Improper Restriction of Power Consumption"
},
"notes": [
{
"category": "summary",
"text": "The pacemakers do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12714"
}
]
}
ICSMA-18-107-01
Vulnerability from csaf_cisa - Published: 2018-04-17 00:00 - Updated: 2018-04-17 00:00Summary
Abbott Laboratories Defibrillator
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.
Recommended Practices: NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
Exploitability: No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Fortify Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Fortify Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Promote Quadra: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Promote Quadra
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Current: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Current
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Promote: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Promote
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Quadra Assura MP: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Quadra Assura MP
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify Quadra: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify Quadra
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Quadra Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Quadra Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Ellipse: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Ellipse
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Fortify: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Fortify
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
5.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Fortify Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Fortify Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Promote Quadra: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Promote Quadra
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Current: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Current
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Promote: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Promote
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Quadra Assura MP: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Quadra Assura MP
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify Quadra: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify Quadra
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Quadra Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Quadra Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Ellipse: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Ellipse
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Fortify: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Fortify
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
|
|
Unify Assura: manufactured and distributed prior to April 1 2018
Abbott Laboratories / Unify Assura
|
distributed < april 1, 2018 |
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
Vendor Fix
fix
Vendor Fix
Vendor Fix
fix
|
References
8 references
Acknowledgments
MedSec Holdings Ltd
{
"document": {
"acknowledgments": [
{
"organization": "MedSec Holdings Ltd",
"summary": "reporting these vulnerabilities to Abbott Laboratories and NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.",
"title": "Risk evaluation"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-18-107-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsma-18-107-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-18-107-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
"title": "Abbott Laboratories Defibrillator",
"tracking": {
"current_release_date": "2018-04-17T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSMA-18-107-01",
"initial_release_date": "2018-04-17T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-04-17T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-18-107-01 Abbott Laboratories Defibrillator"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Fortify Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Fortify Assura"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Promote Quadra: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Promote Quadra"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Current: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "Current"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Promote: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Promote"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Quadra Assura MP: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "Quadra Assura MP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify Quadra: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "Unify Quadra"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Quadra Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "Quadra Assura"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Ellipse: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "Ellipse"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "Unify"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Fortify: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "Fortify"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "Unify Assura"
}
],
"category": "vendor",
"name": "Abbott Laboratories"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-12712",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The device \u0027s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via RF communications.CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
"references": [
{
"category": "external",
"summary": "nvd.nist.gov",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12712"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott \u0027s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Therefore, the Medical Advisory Boards recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.sjm.com/cyberupdate%20"
},
{
"category": "vendor_fix",
"details": "Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
}
]
},
{
"cve": "CVE-2017-12714",
"cwe": {
"id": "CWE-920",
"name": "Improper Restriction of Power Consumption"
},
"notes": [
{
"category": "summary",
"text": "The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life. CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).. Abbott is a U.S.-based company headquartered in Abbott Park, Illinois. Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.. The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
"references": [
{
"category": "external",
"summary": "nvd.nist.gov",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12714"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott \u0027s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Therefore, the Medical Advisory Boards recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.sjm.com/cyberupdate%20"
},
{
"category": "vendor_fix",
"details": "Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
}
]
}
]
}
VAR-201804-0519
Vulnerability from variot - Updated: 2023-12-18 13:28The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. Abbott Laboratories pacemakers Contains a cryptographic vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Accent, Anthem, Accent MRI, Assurity, Allure, and Assurity MRI are all implantable medical devices from Abbott Laboratories. Authorized order. Multiple Abbott Pacemakers are prone to the following multiple security vulnerabilities: 1. An authentication-bypass vulnerability 2. An information-disclosure vulnerability 3. A Denial-of-Service vulnerability Successful exploits may allow an attacker to gain unauthorized access or bypass intended security restrictions, obtain sensitive information or cause denial-of-service conditions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201804-0519",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "anthem",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f0b.0e.7e"
},
{
"model": "assurity",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f14.07.80"
},
{
"model": "assurity mri",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f17.01.49"
},
{
"model": "allure",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f14.07.80"
},
{
"model": "accent mri",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f10.08.6c"
},
{
"model": "accent st",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f10.08.6c"
},
{
"model": "accent",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f0b.0e.7e"
},
{
"model": "accent",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "accent mri",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "accent st",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "allure",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "anthem",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "assurity",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "assurity mri",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "laboratories accent \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories anthem \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories accent mri \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories assurity \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories allure \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories assurity mri \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "assurity mri",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "assurity",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "anthem",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "allure",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent st",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent mri",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "assurity mri f17.01.49",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "assurity f14.07.80",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "anthem f0b.0e.7e",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "allure f14.07.80",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent st f10.08.6c",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent mri f10.08.6c",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent f0b.0e.7e",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "anthem",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent mri",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent st",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "assurity",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "allure",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "assurity mri",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f17.01.49",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12712"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MedSec Holdings Ltd",
"sources": [
{
"db": "BID",
"id": "100523"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
],
"trust": 0.9
},
"cve": "CVE-2017-12712",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Adjacent Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 8.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2017-12712",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.2,
"id": "CNVD-2017-23901",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.2,
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-12712",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-12712",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2017-23901",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-084",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14",
"trust": 0.2,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. Abbott Laboratories pacemakers Contains a cryptographic vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Accent, Anthem, Accent MRI, Assurity, Allure, and Assurity MRI are all implantable medical devices from Abbott Laboratories. Authorized order. Multiple Abbott Pacemakers are prone to the following multiple security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. An information-disclosure vulnerability\n3. A Denial-of-Service vulnerability\nSuccessful exploits may allow an attacker to gain unauthorized access or bypass intended security restrictions, obtain sensitive information or cause denial-of-service conditions",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-12712",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSMA-17-241-01",
"trust": 3.3
},
{
"db": "BID",
"id": "100523",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2017-23901",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSMA-18-107-01",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2017.2157",
"trust": 0.3
},
{
"db": "IVD",
"id": "767A6A23-3EAA-43AB-8A2A-70FF0F71BC14",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"id": "VAR-201804-0519",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
}
],
"trust": 1.8
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
}
]
},
"last_update_date": "2023-12-18T13:28:57.843000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.abbott.com/"
},
{
"title": "Abbott Laboratories\u0027 various pacemaker products are not authorized to access vulnerable patches",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/101204"
},
{
"title": "Multiple Abbott Product security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=74539"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "CWE-310",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsma-17-241-01"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/100523"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12712"
},
{
"trust": 0.8,
"url": "https://ics-cert.us-cert.gov/advisories/icsma-18-107-01"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12712"
},
{
"trust": 0.3,
"url": "http://www.abbott.com/"
},
{
"trust": 0.3,
"url": "http://abbott.mediaroom.com/2017-08-29-abbott-issues-new-updates-for-implanted-cardiac-devices"
},
{
"trust": 0.3,
"url": "https://www.auscert.org.au/bulletins/51662"
},
{
"trust": 0.3,
"url": "https://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm573669.htm"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-30T00:00:00",
"db": "IVD",
"id": "767a6a23-3eaa-43ab-8a2a-70ff0f71bc14"
},
{
"date": "2017-08-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"date": "2017-08-29T00:00:00",
"db": "BID",
"id": "100523"
},
{
"date": "2018-06-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"date": "2018-04-25T13:29:00.227000",
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"date": "2017-08-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-23901"
},
{
"date": "2017-08-29T00:00:00",
"db": "BID",
"id": "100523"
},
{
"date": "2018-07-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-013348"
},
{
"date": "2019-10-09T23:23:11.170000",
"db": "NVD",
"id": "CVE-2017-12712"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Abbott Laboratories pacemakers Cryptographic vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-013348"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-084"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…