Product Security Advisory

Publish Date: 2025-07-17

Last Update: 2025-07-17

Executive Summary

Roche Diagnostics has recently detected  a vulnerability in the input validation mechanism of an API (Application Programming Interface), which lacks adequate validation measures for data input provided by users. Attackers can potentially exploit this vulnerability by sending excessively large sets of data, or unexpected data, with malicious intent to the API. Without proper validation by the software, this flawed input could potentially negatively impact the server’s performance, leading to resource exhaustion or saturation. Consequently, the server could consume all available memory, or network connections, or CPU resources resulting in a Denial of Service (DoS) and rendering the API unusable for legitimate users.

After assessing the potential impact of this vulnerability, Roche Diagnostics has implemented updates to rectify the flaw. Roche has also put measures in place to enforce strict input validation, define expected limits and formats for each type of data, utilizing sanitization techniques to strip harmful content, and establishing robust error handling systems to efficiently identify and respond to abnormal traffic patterns.

As a general security measure, Roche strongly recommends thorough control of network access to devices with appropriate mechanisms including the Roche-provided firewall. We highly recommend configuring the operating environment according to Roche’s installation guidelines and adhering to recommendations provided in the product manuals.

Affected Products

The reported vulnerability impacts all versions of navify Monitoring prior to version 1.08.00. The full package with the issue fixed is available via your Roche contact, so customers can be updated to the latest version.

Please contact your local Roche Diagnostics representative or office for further information on the update schedule.

Potential Impact

This vulnerability in improper input validation can be exploited by attackers to affect the server's performance adversely, leading to resource exhaustion or saturation. The server may consume all available memory, or network connections, or CPU resources resulting in a Denial of Service (DoS) and rendering the API unusable for legitimate users. The weakened server interface, if accessed maliciously, may have severe consequences such as operational and financial losses and damage to service reputation.

Category: CWE-20: Improper Input Validation

CVSS v4.0 Score: 7.1 / High

**CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

For further information or concerns, please contact your local Roche Diagnostics office.

Mitigations / Workarounds

No temporary workarounds are necessary as all affected customers have been or are currently being migrated to the new solution with strict input validation mechanisms.

For further information or questions, please contact your local Roche Diagnostics representative or  office.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Please check the advisory content clicking here.

Publish Date: 2025-01-15

Last Update: 2025-01-157

Executive Summary

Roche is aware of a vulnerability in Algo Edge - a previously used (legacy) component of navify® Algorithm Suite. The vulnerability impacts the authentication mechanism of this component and could allow an attacker with local access to the laboratory network and the Algo Edge system to craft valid authentication tokens and access the component. Other components of navify® Algorithm Suite are not affected.

Roche Diagnostics has assessed the potential impact from this vulnerability and has released an update of this component and has migrated affected customers to a new solution.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche-provided firewall. We highly recommend configuring the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

Affected Products

Our current assessment of the reported vulnerability is that all versions of Algo Edge before 2.1.2 are impacted. Almost all customers have already received an updated version of Algo Edge (2.1.2 or higher) or have migrated to the new solution.

Please contact your local Roche Diagnostics office for further information on the update schedule.

Potential Impact

The vulnerability impacts the authentication mechanism of Algo Edge that controls access to a service interface and could allow an attacker with local access to the laboratory network and the Algo Edge system to craft valid authentication tokens and access the component. The weakness is only exposed to the internal authorized laboratory network which is currently protected by existing overall security controls. For this reason, Roche believes the risk is significantly reduced. Additionally, the impacted component only manages transient data.

CVE-2024-13026 (CWE-326)

CVSS v4.0 Score: 5.7 / Medium

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:N/R:A/V:D/RE:L/U:Clear

For further information or concerns, please contact your local Roche Diagnostics office.

Mitigations / Workarounds

No temporary workarounds are necessary as all customers affected have been or are being migrated to the new solution.

For further information or concerns, please contact your local Roche Diagnostics office.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Acknowledgements

Roche thanks Calif.io for reporting this vulnerability.

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Please check the advisory content clicking here.

Publish Date: 2022-11-03

Last Update: 2022-11-03

Executive Summary

Roche is aware of the OpenSSL Punycode vulnerabilities. To date we have not identified any of our products to be vulnerable by virtue of not leveraging any of the affected versions. We are continuously evaluating and monitoring the situation and will provide an update if and where needed. If you have questions or need more information, please contact your local Roche affiliate.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2022-03-08

Last Update: 2022-03-08

Executive Summary

Roche is aware of the Axeda vulnerabilities and evaluating and assessing the situation and rolling out mitigations, if and where needed.

If you have questions or need more information, please contact your local Roche affiliate.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2019-09-27

Last Update: 2019-09-27

Executive Summary

Roche is aware of a set of security vulnerabilities within a number of real-time operating systems (RTOS) - including Wind River’s VxWorks RTOS - that were disclosed recently by security researchers at Armis. These vulnerabilities, commonly referred to as URGENT/11, impact the TCP/IP stack of multiple RTOS and could lead to remote code execution which could allow an attacker to take over a system without interacting with the user.

As part of our product security policies, Roche Diagnostics has assessed our products for potential impacts from these vulnerabilities and determined that no actions are required for our products.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche firewall. We highly recommend to configure the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

Affected Products

Our review has identified a limited set of Roche Diagnostics products (IVD analyzers and systems) that use the VxWorks operating system. These fall into two categories:

1. Connected products that do not include vulnerable versions of VxWorks 
   
2. Offline products that may use vulnerable versions of VxWorks but are not at risk as they are not connected to the network
   

None of these products expose the vulnerabilities or are at risk.

Potential Impact

Our current assessment of the reported vulnerabilities is that Roche Diagnostics products are not directly impacted by the URGENT/11 set of vulnerabilities. While there is some use of vulnerable versions of VxWorks, these products run on isolated units without customer network connectivity and are therefore not at risk. Roche Diagnostics products use a firewall that is not based on VxWorks and is therefore not itself susceptible to the URGENT/11 vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

Mitigations / Workarounds

No mitigations or workarounds are required for these vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]