-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-433987: Vulnerability in Radiation Oncology Products from Siemens Healthineers Publication Date: 2019-05-24 Last Update: 2019-05-24 Current Version: 1.0 CVSS v3.0 Base Score: 9.8 SUMMARY ======= Microsoft has released updates for several versions of Microsoft Windows, which fix a vulnerability in the Remote Desktop Service. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the target system if the system exposes the service to the network. One Radiation Oncology product from Siemens Healthineers is affected by this vulnerability. AFFECTED PRODUCTS AND SOLUTION ============================== * Lantis - Affected versions: All versions - Remediation: Disable Remote Desktop Protocol (RDP) or close port 3389/tcp. WORKAROUNDS AND MITIGATIONS =========================== Siemens Healthineers has not identified any specific mitigations or workarounds. GENERAL SECURITY RECOMMENDATIONS ================================ In addition, Siemens Healthineers recommends the following: - - Ensure you have appropriate backups and system restoration procedures. - - For specific patch and remediation guidance information, contact your local Siemens Healthineers customer service engineer, portal or our Regional Support Center. PRODUCT DESCRIPTION =================== Siemens Healthineers radiation oncology products are used in hospital environments for patient treatments. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. * Vulnerability CVE-2019-0708 An unauthenticated attacker with access to port 3389/tcp in an affected device may execute arbitrary commands with elevated privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected device. No user interaction is required to exploit this vulnerability. The vulnerability impacts the confidentiality, integrity, and availability of the affected device. CVSS v3.0 Base Score: 9.8 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2019-05-24): Publication Date TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJc5zQAAAoJELtnleqOVdUuWS0P/0nO92a+/Ui935g4AhW05Eiz RjJCTdMN38vyeTjsNt7iNQiTpe/2ucrdvtwOWF6nVacgJMt2KeZuDTHThwVHaR7J KAbjvYuT4uNclfjn7B7BxTtl88uuBvsKKdL1Ye0dBq+ECiiTa/ukbUSqOCV2ziZP y46dSemSGdWoPOTCmTbj2MDt0GZZl4M8QWQz69reqV3KL6GgNlXRLkQ3SzPad9Cr cEaS3S7PBmmwCmorKlz1dh5HTELpkmOHpmqcM4bDJm/qF2LnpV8B1ghc/j4s+s5i g2oDKXpxyIm/fdLIZV/t8jtJbsP4Sob/FC8H67DqixW76zjfrTeiiTYSqeFpz9Xp JcrZv6Hod1Fe6pxSRdnZGInd0GpDBskVucsHOYs2qUiespbDDoKE8/ni4kYwO8Cs 3allqsFBNYuNoQ1R/CQH63lbC3B7nbd475BrecbTcqd2y6yBpd4iYEJ7RLKqf7Eu W3B/hf3IYNDIg55wU9I2aBOe2fbCjtj1AFT0wPZ7Bt9runzSvjFcuMh/eEfk11kD h2s6LSPXraKnxPPd4C6yS9MxlqK6VZIbMGoVHS6cLEONT9SRTdylEpOuqaVU4m8l C+epRTUML94pO0RqakxtFvfw8dvAP88anoneO3H0fsZpqc1BATWcTDqc3dQnQ2Qf 7F36LZw/a9xrk+p9V/3j =BAu/ -----END PGP SIGNATURE-----