Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2017-12714 (GCVE-0-2017-12714)
Vulnerability from cvelistv5 – Published: 2018-04-25 13:00 – Updated: 2024-09-17 00:16
VLAI?
EPSS
Summary
Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Severity ?
No CVSS data available.
CWE
- CWE-920 - Improper Restriction of power consumption CWE-920
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Abbott Laboratories | Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI. |
Affected:
All versions of pacemakers manufactured prior to August 28, 2017
|
Date Public ?
2017-08-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"vendor": "Abbott Laboratories",
"versions": [
{
"status": "affected",
"version": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
],
"datePublic": "2017-08-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-920",
"description": "Improper Restriction of power consumption CWE-920",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-26T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-08-29T00:00:00",
"ID": "CVE-2017-12714",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"version": {
"version_data": [
{
"version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
}
]
},
"vendor_name": "Abbott Laboratories"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Restriction of power consumption CWE-920"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-12714",
"datePublished": "2018-04-25T13:00:00.000Z",
"dateReserved": "2017-08-09T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:16:50.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2017-12714",
"date": "2026-04-20",
"epss": "0.00215",
"percentile": "0.44064"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-12714\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-04-25T13:29:00.287\",\"lastModified\":\"2024-11-21T03:10:04.977\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \\\"RF wake-up\\\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.\"},{\"lang\":\"es\",\"value\":\"Los marcapasos de Abbott Laboratories fabricados antes del 28 de agosto de 2017 no restringen o limitan el n\u00famero de comandos \\\"RF wake-up\\\" formateados correctamente que pueden recibir. Esto puede permitir que un atacante cercano env\u00ede comandos repetidamente para reducir la bater\u00eda del marcapasos. Puntuaci\u00f3n base de CVSS v3: 5.3, cadena de vector CVSS: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott ha desarrollado una actualizaci\u00f3n de firmware para ayudar a mitigar las vulnerabilidades identificadas.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:N/I:N/A:C\",\"baseScore\":6.1,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.5,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-920\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-920\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f0b.0e.7e\",\"matchCriteriaId\":\"BFF25F4E-CF32-41A5-9AEC-5CF2A1D70732\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7261AA88-1BD6-4CDF-AFC0-31FD7F52B9E7\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f0b.0e.7e\",\"matchCriteriaId\":\"D6C940D7-5EA3-4D42-8FFE-0C38D2D0065E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B28402F-D4DF-448B-8ED3-676E0B438331\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f10.08.6c\",\"matchCriteriaId\":\"BFC7CD6D-57F8-4479-A25C-9B9937FD3793\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C752B8AA-8990-43DE-AB8B-57329E1E0AE1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f10.08.6c\",\"matchCriteriaId\":\"3CCA1805-9253-4267-ACE9-B9F3BBB1549A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"794620AF-C8D5-4511-B4AF-5E8B4347F558\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f14.07.80\",\"matchCriteriaId\":\"0BF37E32-78D2-48CD-BF19-17533E3CB5DF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83B2EBFC-FB8A-402E-8C5C-118D4362B143\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f14.07.80\",\"matchCriteriaId\":\"858B3E80-0179-4AD7-BC32-3AA87A7341C6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65B30268-EC36-42C3-8028-D345DC22A3DC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"f17.01.49\",\"matchCriteriaId\":\"95E52CB5-DB4A-42FE-B963-CE891D3C1A95\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43025EB2-8644-4BC5-BC3D-D67305C504B7\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100523\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/100523\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
GHSA-4GWC-877G-8PXQ
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI?
Details
Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Severity ?
6.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2017-12714"
],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-25T13:29:00Z",
"severity": "MODERATE"
},
"details": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GHSA-4gwc-877g-8pxq",
"modified": "2022-05-13T01:37:45Z",
"published": "2022-05-13T01:37:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12714"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
VAR-201804-0520
Vulnerability from variot - Updated: 2024-11-23 22:17Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. Abbott Laboratories pacemakers Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Accent, Anthem, Accent MRI, Assurity, Allure, and Assurity MRI are all implantable medical devices from Abbott Laboratories. Battery life. Multiple Abbott Pacemakers are prone to the following multiple security vulnerabilities: 1. An authentication-bypass vulnerability 2. An information-disclosure vulnerability 3. A Denial-of-Service vulnerability Successful exploits may allow an attacker to gain unauthorized access or bypass intended security restrictions, obtain sensitive information or cause denial-of-service conditions
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201804-0520",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "assurity",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f14.07.80"
},
{
"model": "accent",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f0b.0e.7e"
},
{
"model": "anthem",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f0b.0e.7e"
},
{
"model": "accent st",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f10.08.6c"
},
{
"model": "assurity mri",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f17.01.49"
},
{
"model": "allure",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f14.07.80"
},
{
"model": "accent mri",
"scope": "lt",
"trust": 1.0,
"vendor": "abbott",
"version": "f10.08.6c"
},
{
"model": "accent",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "accent mri",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "accent st",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "allure",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "anthem",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "assurity",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "assurity mri",
"scope": null,
"trust": 0.8,
"vendor": "abbott",
"version": null
},
{
"model": "laboratories accent \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories anthem \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories accent mri \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories assurity \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories allure \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "laboratories assurity mri \u003caugust",
"scope": "eq",
"trust": 0.6,
"vendor": "abbott",
"version": "282017"
},
{
"model": "assurity mri",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "assurity",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "anthem",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "allure",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent st",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent mri",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "accent",
"scope": "eq",
"trust": 0.3,
"vendor": "abbott",
"version": "0"
},
{
"model": "assurity mri f17.01.49",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "assurity f14.07.80",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "anthem f0b.0e.7e",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "allure f14.07.80",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent st f10.08.6c",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent mri f10.08.6c",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": "accent f0b.0e.7e",
"scope": "ne",
"trust": 0.3,
"vendor": "abbott",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "anthem",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent mri",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "accent st",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "assurity",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "allure",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "assurity mri",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:abbott:accent_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:accent_mri_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:accent_st_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:allure_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:anthem_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:assurity_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:abbott:assurity_mri_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MedSec Holdings Ltd",
"sources": [
{
"db": "BID",
"id": "100523"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
}
],
"trust": 0.9
},
"cve": "CVE-2017-12714",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 6.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.5,
"id": "CVE-2017-12714",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.2,
"id": "CNVD-2017-23900",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.2,
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"id": "CVE-2017-12714",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-12714",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2017-12714",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2017-23900",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-085",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. Abbott Laboratories pacemakers Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Accent, Anthem, Accent MRI, Assurity, Allure, and Assurity MRI are all implantable medical devices from Abbott Laboratories. Battery life. Multiple Abbott Pacemakers are prone to the following multiple security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. An information-disclosure vulnerability\n3. A Denial-of-Service vulnerability\nSuccessful exploits may allow an attacker to gain unauthorized access or bypass intended security restrictions, obtain sensitive information or cause denial-of-service conditions",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-12714"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-12714",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSMA-17-241-01",
"trust": 3.3
},
{
"db": "BID",
"id": "100523",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2017-23900",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSMA-18-107-01",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2017.2157",
"trust": 0.3
},
{
"db": "IVD",
"id": "CB95B3A8-887C-44B0-B1F4-C00D35D478D6",
"trust": 0.2
}
],
"sources": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"id": "VAR-201804-0520",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
}
],
"trust": 1.8
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
}
]
},
"last_update_date": "2024-11-23T22:17:36.258000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.abbott.com/"
},
{
"title": "Abbott Laboratories Patches for Multiple Pacemaker Product Access Limiting Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/101203"
},
{
"title": "Multiple Abbott Product security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74540"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-920",
"trust": 1.0
},
{
"problemtype": "CWE-284",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsma-17-241-01"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/100523"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12714"
},
{
"trust": 0.8,
"url": "https://ics-cert.us-cert.gov/advisories/icsma-18-107-01"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12714"
},
{
"trust": 0.3,
"url": "http://www.abbott.com/"
},
{
"trust": 0.3,
"url": "http://abbott.mediaroom.com/2017-08-29-abbott-issues-new-updates-for-implanted-cardiac-devices"
},
{
"trust": 0.3,
"url": "https://www.auscert.org.au/bulletins/51662"
},
{
"trust": 0.3,
"url": "https://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm573669.htm"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"db": "BID",
"id": "100523"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-30T00:00:00",
"db": "IVD",
"id": "cb95b3a8-887c-44b0-b1f4-c00d35d478d6"
},
{
"date": "2017-08-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"date": "2017-08-29T00:00:00",
"db": "BID",
"id": "100523"
},
{
"date": "2018-06-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"date": "2017-08-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"date": "2018-04-25T13:29:00.287000",
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-23900"
},
{
"date": "2017-08-29T00:00:00",
"db": "BID",
"id": "100523"
},
{
"date": "2018-07-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-013349"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-085"
},
{
"date": "2024-11-21T03:10:04.977000",
"db": "NVD",
"id": "CVE-2017-12714"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Abbott Laboratories pacemakers Access control vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-013349"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-085"
}
],
"trust": 0.6
}
}
FKIE_CVE-2017-12714
Vulnerability from fkie_nvd - Published: 2018-04-25 13:29 - Updated: 2024-11-21 03:10
Severity ?
Summary
Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/100523 | Third Party Advisory, VDB Entry | |
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100523 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abbott | accent_firmware | * | |
| abbott | accent | - | |
| abbott | anthem_firmware | * | |
| abbott | anthem | - | |
| abbott | accent_mri_firmware | * | |
| abbott | accent_mri | - | |
| abbott | accent_st_firmware | * | |
| abbott | accent_st | - | |
| abbott | assurity_firmware | * | |
| abbott | assurity | - | |
| abbott | allure_firmware | * | |
| abbott | allure | - | |
| abbott | assurity_mri_firmware | * | |
| abbott | assurity_mri | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFF25F4E-CF32-41A5-9AEC-5CF2A1D70732",
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7261AA88-1BD6-4CDF-AFC0-31FD7F52B9E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6C940D7-5EA3-4D42-8FFE-0C38D2D0065E",
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4B28402F-D4DF-448B-8ED3-676E0B438331",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFC7CD6D-57F8-4479-A25C-9B9937FD3793",
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C752B8AA-8990-43DE-AB8B-57329E1E0AE1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CCA1805-9253-4267-ACE9-B9F3BBB1549A",
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*",
"matchCriteriaId": "794620AF-C8D5-4511-B4AF-5E8B4347F558",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BF37E32-78D2-48CD-BF19-17533E3CB5DF",
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83B2EBFC-FB8A-402E-8C5C-118D4362B143",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "858B3E80-0179-4AD7-BC32-3AA87A7341C6",
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*",
"matchCriteriaId": "65B30268-EC36-42C3-8028-D345DC22A3DC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95E52CB5-DB4A-42FE-B963-CE891D3C1A95",
"versionEndExcluding": "f17.01.49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43025EB2-8644-4BC5-BC3D-D67305C504B7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
},
{
"lang": "es",
"value": "Los marcapasos de Abbott Laboratories fabricados antes del 28 de agosto de 2017 no restringen o limitan el n\u00famero de comandos \"RF wake-up\" formateados correctamente que pueden recibir. Esto puede permitir que un atacante cercano env\u00ede comandos repetidamente para reducir la bater\u00eda del marcapasos. Puntuaci\u00f3n base de CVSS v3: 5.3, cadena de vector CVSS: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott ha desarrollado una actualizaci\u00f3n de firmware para ayudar a mitigar las vulnerabilidades identificadas."
}
],
"id": "CVE-2017-12714",
"lastModified": "2024-11-21T03:10:04.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-25T13:29:00.287",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-920"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-920"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CNVD-2017-23900
Vulnerability from cnvd - Published: 2017-08-30
VLAI Severity ?
Title
Abbott Laboratories多款起搏器产品访问次数限制漏洞
Description
Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室(Abbott Laboratories)的植入式医疗设备。
Abbott Laboratories多款起搏器产品存在访问次数限制漏洞,起搏器不限制或限制可接收的正确格式的“RF wake-up”命令的数量,允许附近的攻击者重复发送命令以减少起搏器的电池寿命。
Severity
中
Patch Name
Abbott Laboratories多款起搏器产品访问次数限制漏洞的补丁
Patch Description
Accent、Anthem、Accent MRI、Assurity、Allure和Assurity MRI都是美国雅培实验室(Abbott Laboratories)的植入式医疗设备。
Abbott Laboratories多款起搏器产品存在访问次数限制漏洞,起搏器不限制或限制可接收的正确格式的“RF wake-up”命令的数量,允许附近的攻击者重复发送命令以减少起搏器的电池寿命。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
用户可联系供应商获得补丁信息: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
Reference
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
Impacted products
| Name | ['Abbott Laboratories Accent <August 28,2017', 'Abbott Laboratories Anthem <August 28,2017', 'Abbott Laboratories Accent MRI <August 28,2017', 'Abbott Laboratories Assurity <August 28,2017', 'Abbott Laboratories Allure <August 28,2017', 'Abbott Laboratories Assurity MRI <August 28,2017'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2017-12714"
}
},
"description": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u8bbf\u95ee\u6b21\u6570\u9650\u5236\u6f0f\u6d1e\uff0c\u8d77\u640f\u5668\u4e0d\u9650\u5236\u6216\u9650\u5236\u53ef\u63a5\u6536\u7684\u6b63\u786e\u683c\u5f0f\u7684\u201cRF wake-up\u201d\u547d\u4ee4\u7684\u6570\u91cf\uff0c\u5141\u8bb8\u9644\u8fd1\u7684\u653b\u51fb\u8005\u91cd\u590d\u53d1\u9001\u547d\u4ee4\u4ee5\u51cf\u5c11\u8d77\u640f\u5668\u7684\u7535\u6c60\u5bff\u547d\u3002",
"discovererName": "unknow",
"formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-23900",
"openTime": "2017-08-30",
"patchDescription": "Accent\u3001Anthem\u3001Accent MRI\u3001Assurity\u3001Allure\u548cAssurity MRI\u90fd\u662f\u7f8e\u56fd\u96c5\u57f9\u5b9e\u9a8c\u5ba4\uff08Abbott Laboratories\uff09\u7684\u690d\u5165\u5f0f\u533b\u7597\u8bbe\u5907\u3002\r\n\r\nAbbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u5b58\u5728\u8bbf\u95ee\u6b21\u6570\u9650\u5236\u6f0f\u6d1e\uff0c\u8d77\u640f\u5668\u4e0d\u9650\u5236\u6216\u9650\u5236\u53ef\u63a5\u6536\u7684\u6b63\u786e\u683c\u5f0f\u7684\u201cRF wake-up\u201d\u547d\u4ee4\u7684\u6570\u91cf\uff0c\u5141\u8bb8\u9644\u8fd1\u7684\u653b\u51fb\u8005\u91cd\u590d\u53d1\u9001\u547d\u4ee4\u4ee5\u51cf\u5c11\u8d77\u640f\u5668\u7684\u7535\u6c60\u5bff\u547d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u8bbf\u95ee\u6b21\u6570\u9650\u5236\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Abbott Laboratories Accent \u003cAugust 28\uff0c2017",
"Abbott Laboratories Anthem \u003cAugust 28\uff0c2017",
"Abbott Laboratories Accent MRI \u003cAugust 28\uff0c2017",
"Abbott Laboratories Assurity \u003cAugust 28\uff0c2017",
"Abbott Laboratories Allure \u003cAugust 28\uff0c2017",
"Abbott Laboratories Assurity MRI \u003cAugust 28\uff0c2017"
]
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"serverity": "\u4e2d",
"submitTime": "2017-08-30",
"title": "Abbott Laboratories\u591a\u6b3e\u8d77\u640f\u5668\u4ea7\u54c1\u8bbf\u95ee\u6b21\u6570\u9650\u5236\u6f0f\u6d1e"
}
ICSMA-18-107-01
Vulnerability from csaf_cisa - Published: 2018-04-17 00:00 - Updated: 2018-04-17 00:00Summary
Abbott Laboratories Defibrillator
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.
Recommended Practices: NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
Exploitability: No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
7.5 (High)
Vendor Fix
Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Vendor Fix
The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
Vendor Fix
The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.
Vendor Fix
Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
Vendor Fix
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
Vendor Fix
Abbott 's older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.
Vendor Fix
Therefore, the Medical Advisory Boards recommends the following:
Vendor Fix
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.
https://www.sjm.com/cyberupdate%20
Vendor Fix
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:
Vendor Fix
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
https://www.fda.gov/MedicalDevices/Safety/Alertsa…
5.3 (Medium)
Vendor Fix
Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Vendor Fix
The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
Vendor Fix
The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.
Vendor Fix
Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
Vendor Fix
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
Vendor Fix
Abbott 's older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.
Vendor Fix
Therefore, the Medical Advisory Boards recommends the following:
Vendor Fix
Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.
https://www.sjm.com/cyberupdate%20
Vendor Fix
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:
Vendor Fix
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
https://www.fda.gov/MedicalDevices/Safety/Alertsa…
References
Acknowledgments
MedSec Holdings Ltd
{
"document": {
"acknowledgments": [
{
"organization": "MedSec Holdings Ltd",
"summary": "reporting these vulnerabilities to Abbott Laboratories and NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.",
"title": "Risk evaluation"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-18-107-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsma-18-107-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-18-107-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-107-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
"title": "Abbott Laboratories Defibrillator",
"tracking": {
"current_release_date": "2018-04-17T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSMA-18-107-01",
"initial_release_date": "2018-04-17T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-04-17T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-18-107-01 Abbott Laboratories Defibrillator"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Fortify Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Fortify Assura"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Promote Quadra: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Promote Quadra"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Current: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "Current"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Promote: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Promote"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Quadra Assura MP: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "Quadra Assura MP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify Quadra: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "Unify Quadra"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Quadra Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "Quadra Assura"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Ellipse: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "Ellipse"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "Unify"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Fortify: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "Fortify"
},
{
"branches": [
{
"category": "product_version_range",
"name": "distributed \u003c april 1, 2018",
"product": {
"name": "Unify Assura: manufactured and distributed prior to April 1 2018",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "Unify Assura"
}
],
"category": "vendor",
"name": "Abbott Laboratories"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-12712",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The device \u0027s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via RF communications.CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
"references": [
{
"category": "external",
"summary": "nvd.nist.gov",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12712"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott \u0027s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Therefore, the Medical Advisory Boards recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.sjm.com/cyberupdate%20"
},
{
"category": "vendor_fix",
"details": "Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
}
]
},
{
"cve": "CVE-2017-12714",
"cwe": {
"id": "CWE-920",
"name": "Improper Restriction of Power Consumption"
},
"notes": [
{
"category": "summary",
"text": "The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life. CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).. Abbott is a U.S.-based company headquartered in Abbott Park, Illinois. Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.. The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
"references": [
{
"category": "external",
"summary": "nvd.nist.gov",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12714"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Abbott \u0027s older generation devices (i.e., Current and Promote) are not capable of accepting the firmware update due to technology limitations. If healthcare providers and patients have any concerns relating to device cybersecurity for those patients implanted with Current/Promote devices, providers have the option to permanently disable the RF communication capability in the device. However, if this option is selected, the patient can no longer be monitored remotely using an RF Merlin@home transmitter. For most patients, permanently disabling RF is not advisable given the proven benefits and improved survival associated with home monitoring.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Therefore, the Medical Advisory Boards recommends the following:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "Patients and healthcare providers with questions can call the dedicated hotline at 1-800-722-3774 (U.S.) or visit https://www.sjm.com/cyberupdate for more information.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.sjm.com/cyberupdate%20"
},
{
"category": "vendor_fix",
"details": "Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
},
{
"category": "vendor_fix",
"details": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
],
"url": "https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011"
]
}
]
}
]
}
ICSMA-17-241-01
Vulnerability from csaf_cisa - Published: 2017-08-29 00:00 - Updated: 2017-08-29 00:00Summary
ICSMA-17-241-01_Abbott Laboratories ' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
7.5 (High)
Mitigation
The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.
CWE-311
- Missing Encryption of Sensitive Data
Mitigation
The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.
5.3 (Medium)
Mitigation
The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician's professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "CISAservicedesk@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-17-241-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsma-17-241-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-17-241-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-17-241-01"
}
],
"title": "ICSMA-17-241-01_Abbott Laboratories \u0027 Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities",
"tracking": {
"current_release_date": "2017-08-29T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA USCert CSAF Generator",
"version": "1"
}
},
"id": "ICSMA-17-241-01",
"initial_release_date": "2017-08-29T00:00:00.000000Z",
"revision_history": [
{
"date": "2017-08-29T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-17-241-01 Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Accent MRI: manufactured prior to August 28",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Accent MRI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Assurity/Allure: manufactured prior to August 28",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Assurity/Allure"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Assurity MRI: manufactured prior to August 28",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "Assurity MRI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c august 28",
"product": {
"name": "Accent/Anthem: manufactured prior to August 28",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Accent/Anthem"
}
],
"category": "vendor",
"name": "Abbott Laboratories"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-12712",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The pacemaker \u0027s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12712"
},
{
"cve": "CVE-2017-12716",
"cwe": {
"id": "CWE-311",
"name": "Missing Encryption of Sensitive Data"
},
"notes": [
{
"category": "summary",
"text": "The Accent and Anthem pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units. The Assurity and Allure pacemakers do not contain this vulnerability. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption; however, the Assurity and Allure pacemakers encrypt stored patient information.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12716"
},
{
"cve": "CVE-2017-12714",
"cwe": {
"id": "CWE-920",
"name": "Improper Restriction of Power Consumption"
},
"notes": [
{
"category": "summary",
"text": "The pacemakers do not restrict or limit the number of correctly formatted RF wake-up commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "The pacemaker firmware update will implement RF wake-up protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only). The firmware update can be applied to an implanted pacemaker via the Merlin PCS Programmer by a healthcare provider. It is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update. Implementation of the firmware update is to be determined based on the physician\u0027s professional judgment and patient management considerations. Pacemakers manufactured beginning August 28, 2017, will have this update preloaded on devices.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
],
"title": "CVE-2017-12714"
}
]
}
GSD-2017-12714
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-12714",
"description": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GSD-2017-12714"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-12714"
],
"details": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GSD-2017-12714",
"modified": "2023-12-13T01:21:03.236873Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-08-29T00:00:00",
"ID": "CVE-2017-12714",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"version": {
"version_data": [
{
"version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
}
]
},
"vendor_name": "Abbott Laboratories"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Restriction of power consumption CWE-920"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:anthem_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f0b.0e.7e",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:anthem:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:accent_st_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f10.08.6c",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:accent_st:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:allure_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f14.07.80",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:allure:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:abbott:assurity_mri_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "f17.01.49",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:abbott:assurity_mri:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-12714"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-920"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-09T23:23Z",
"publishedDate": "2018-04-25T13:29Z"
}
}
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…