Medical System Security Information

1. Apache Log4j Vulnerability (Log4Shell)
   Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
   https://logging.apache.org/log4j/2.x/security.html
2. Impacts on our products
   SYNAPSE VNA software versions 6.3 and later may be affected by this vulnerability.  
   Fujifilm has released a mitigation script that must be applied to each SYNAPSE VNA software. 
   All other products are unaffected. 
   For this security inquiries, contact the sales office where you purchased the product or you are considering purchasing the product. 

1. Treck TCP/IP stack vulnerabilities
   19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the website below.
   https://www.jsof-tech.com/ripple20
   https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
2. Impacts on our products
   Our products do not use Treck TCP/IP which has these vulnerabilities. Therefore, we have determined that they are not affected by these vulnerabilities.

1. Bluetooth Low Energy Vulnerability (SweynTooth)
   FDA issued the following FDA Safety Communication on March 3, 2020.
   SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices（FDA Safety Communication）
   It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless
   communication technology known as Bluetooth Low Energy (BLE).
2. Summary
   Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a
   deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the
   website below.
   https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
3. Impacts on our products
   Our products do not have a Bluetooth function that uses this vulnerable Bluetooth Low Energy (BLE).
   Therefore, we have determined that they are not affected by these vulnerabilities.

1. Vulnerabilities of Remote Desktop Service for Windows
   Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data.
2. Impacts on our products
   Our products are not affected by these vulnerabilities, but since Microsoft has released patches for them, we have also completed the patch application evaluation for the products using the subject Windows. If you would like to apply the patch, contact the sales office where you purchased the product. In addition, in order to maintain the security of our products, refer to the following (3) for ensuring the security of your network.
3. Reference
   The following countermeasures are effective for vulnerabilities of the remote desktop service in the network environment of customers.
   
    (a) Disallowance for the use of Remote Desktop Services
   If it is possible to allow or disallow the use of remote desktop services in the Windows settings, disallow it.
   
   (b) Communication route control
   In the network to which our products are connected, set the network device so as to prohibit communication from computers other than those that allow access to them.
   
    (c) Control of communication protocol and communication port
   Since the attack on the remote desktop service uses the following communication protocols and communication ports, the network device is set so as not to allow the communication.

1. VxWorks Vulnerabilities
   Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures.
2. Summary
   URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the website below.
   TCP/IP Network Stack (IPnet, Urgent/11)  (Wd River)
   URGENT/11  (Armis)
3. Impacts on our products
   Our products do not have VxWorks that uses IPnet with these vulnerabilities and we have determined that they are not affected by these vulnerabilities.

1. Apache Log4j Vulnerability (Log4Shell)
   Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
   https://logging.apache.org/log4j/2.x/security.html
2. Impacts on our products
   We have determined that our products are not affected by this vulnerability because they do not use the associated versions of Apache Log4j.
   
   However, our server for remote services, which is used to maintain our products, has the version of Apache Log4j, but we confirmed the function that contains the vulnerability has been disabled.

1. BlackBerry Real-Time Operating System (RTOS) "QNX" Vulnerability
   BlackBerry has announced a vulnerability (CVE-2021-22156) in the QNX Real Time Operating System (RTOS).
   Exploitation of this vulnerability could lead to a denial of service or execute arbitrary code on the affected device. For details, please refer to the following external reference website below.
   https://support.blackberry.com/kb/articleDetail?articleNumber=000082334
   https://us-cert.cisa.gov/ncas/alerts/aa21-229a
2. Impacts on our products
   We have determined that our products are not affected by this vulnerability because they do not use BlackBerry real-time operating system (RTOS) "QNX".

1. Treck TCP/IP stack vulnerabilities
   19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the following external reference website.
   https://www.jsof-tech.com/ripple20
   https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
2. Impacts on our products
   We have determined that our products are not affected by this vulnerability because they do not use Treck TCP/IP stack.

1. Bluetooth Low Energy Vulnerability (SweynTooth)
   FDA issued the following FDA Safety Communication on March 3, 2020.
   For details, refer to the following external reference website.
   https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication
   It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless communication technology known as Bluetooth Low Energy (BLE).
2. Summary
   Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the following external reference website.
   https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
3. Impacts on our products
   We have determined that our products are not affected by these vulnerabilities because they do not use Bluetooth Low Energy (BLE).

1. Vulnerabilities of Remote Desktop Service for Windows
   Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data.
2. Impacts on our products
   Remote Desktop Services is enabled on some of our products. We judge that the impact of this vulnerability is small in the assumed network environment. At the request of the customer, it is possible to take measures such as disabling the remote desktop service. Please contact the sales office where you purchased the product.
   
   All other products are not affected by these vulnerabilities because the OS that contains these  vulnerabilities is uninstalled, or Remote Desktop Services is disabled.

1. VxWorks Vulnerabilities
   Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures.
2. Summary
   URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the following external reference website.
   https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
   https://www.armis.com/research/urgent11/
3. Impacts on our products
   In our MRI system, VxWorks is used as an image processor, but due to the equipment configuration, it is highly unlikely that this vulnerability can be attacked, and we have determined that it is not affected by these vulnerabilities.
   
   All other products are not affected by these vulnerabilities because they do not use VxWorks.

We currently do not have any urgent announcements.