Diagnostics Product Cyber Security

Product Security Advisory

How to Report (Roche customers)

If you are / represent a customer of Roche, please inform your responsible local Roche Diagnostics affiliate about product issues, including any potential cyber security vulnerabilities, to ensure proper complaint handling and processing in accordance with your service contract.

 

How to Report (Security Researchers and other vulnerability finders)

If you want to report a potential cyber security vulnerability in a Roche Diagnostics product and/or service please contact us at security@roche.com.

Product Security Advisory & Archive

Product Security Advisory & Archive

Publish Date: 2019-09-27

Last Update: 2019-09-27

 

Executive Summary

Roche is aware of a set of security vulnerabilities within a number of real-time operating systems (RTOS) - including Wind River’s VxWorks RTOS - that were disclosed recently by security researchers at Armis. These vulnerabilities, commonly referred to as URGENT/11, impact the TCP/IP stack of multiple RTOS and could lead to remote code execution which could allow an attacker to take over a system without interacting with the user.

As part of our product security policies, Roche Diagnostics has assessed our products for potential impacts from these vulnerabilities and determined that no actions are required for our products.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche firewall. We highly recommend to configure the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

 

 

Affected Products

Our review has identified a limited set of Roche Diagnostics products (IVD analyzers and systems) that use the VxWorks operating system. These fall into two categories:

  1. Connected products that do not include vulnerable versions of VxWorks 
  2. Offline products that may use vulnerable versions of VxWorks but are not at risk as they are not connected to the network

None of these products expose the vulnerabilities or are at risk.

 

Potential Impact

Our current assessment of the reported vulnerabilities is that Roche Diagnostics products are not directly impacted by the URGENT/11 set of vulnerabilities. While there is some use of vulnerable versions of VxWorks, these products run on isolated units without customer network connectivity and are therefore not at risk. Roche Diagnostics products use a firewall that is not based on VxWorks and is therefore not itself susceptible to the URGENT/11 vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

 

Mitigations / Workarounds

No mitigations or workarounds are required for these vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

 

 

 

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

 

Security Researchers

For Diagnostics product-related security topics, please contact dia.pcert@roche.com

For general Roche related security topics, please contact security@roche.com