Security

Product Security Advisory

How to Report (Roche customers)

 

If you are / represent a customer of Roche, please inform your responsible local Roche Diagnostics affiliate about product issues, including any potential cyber security vulnerabilities, to ensure proper complaint handling and processing in accordance with your service contract.

How to Report (Security Researchers and other vulnerability finders)

If you want to report a potential cyber security vulnerability in a Roche Diagnostics product and/or service please contact us at [email protected].

Related information

Product Security Advisory & Archive

Product Security Advisory & Archive

Publish Date: 2025-01-15

Last Update: 2025-01-157

 

Executive Summary

Roche is aware of a vulnerability in Algo Edge - a previously used (legacy) component of navify® Algorithm Suite. The vulnerability impacts the authentication mechanism of this component and could allow an attacker with local access to the laboratory network and the Algo Edge system to craft valid authentication tokens and access the component. Other components of navify® Algorithm Suite are not affected.

Roche Diagnostics has assessed the potential impact from this vulnerability and has released an update of this component and has migrated affected customers to a new solution.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche-provided firewall. We highly recommend configuring the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

 

Affected Products

Our current assessment of the reported vulnerability is that all versions of Algo Edge before 2.1.2 are impacted. Almost all customers have already received an updated version of Algo Edge (2.1.2 or higher) or have migrated to the new solution.

Please contact your local Roche Diagnostics office for further information on the update schedule.

 

Potential Impact

The vulnerability impacts the authentication mechanism of Algo Edge that controls access to a service interface and could allow an attacker with local access to the laboratory network and the Algo Edge system to craft valid authentication tokens and access the component. The weakness is only exposed to the internal authorized laboratory network which is currently protected by existing overall security controls. For this reason, Roche believes the risk is significantly reduced. Additionally, the impacted component only manages transient data.

CVE-2024-13026 (CWE-326)

CVSS v4.0 Score: 5.7 / Medium

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:N/R:A/V:D/RE:L/U:Clear

For further information or concerns, please contact your local Roche Diagnostics office.

 

Mitigations / Workarounds

No temporary workarounds are necessary as all customers affected have been or are being migrated to the new solution.

For further information or concerns, please contact your local Roche Diagnostics office.

 

 

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Acknowledgements

Roche thanks Calif.io for reporting this vulnerability.

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

 

Please check the advisory content clicking here.

Publish Date: 2022-11-03

Last Update: 2022-11-03

 

Executive Summary

Roche is aware of the OpenSSL Punycode vulnerabilities. To date we have not identified any of our products to be vulnerable by virtue of not leveraging any of the affected versions. We are continuously evaluating and monitoring the situation and will provide an update if and where needed. If you have questions or need more information, please contact your local Roche affiliate.

 

 

 

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

 

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2022-03-08

Last Update: 2022-03-08

 

Executive Summary

Roche is aware of the Axeda vulnerabilities and evaluating and assessing the situation and rolling out mitigations, if and where needed.

If you have questions or need more information, please contact your local Roche affiliate.

 

 

 

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

 

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2019-09-27

Last Update: 2019-09-27

 

Executive Summary

Roche is aware of a set of security vulnerabilities within a number of real-time operating systems (RTOS) - including Wind River’s VxWorks RTOS - that were disclosed recently by security researchers at Armis. These vulnerabilities, commonly referred to as URGENT/11, impact the TCP/IP stack of multiple RTOS and could lead to remote code execution which could allow an attacker to take over a system without interacting with the user.

As part of our product security policies, Roche Diagnostics has assessed our products for potential impacts from these vulnerabilities and determined that no actions are required for our products.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche firewall. We highly recommend to configure the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

 

 

Affected Products

Our review has identified a limited set of Roche Diagnostics products (IVD analyzers and systems) that use the VxWorks operating system. These fall into two categories:

  1. Connected products that do not include vulnerable versions of VxWorks 
  2. Offline products that may use vulnerable versions of VxWorks but are not at risk as they are not connected to the network

None of these products expose the vulnerabilities or are at risk.

 

Potential Impact

Our current assessment of the reported vulnerabilities is that Roche Diagnostics products are not directly impacted by the URGENT/11 set of vulnerabilities. While there is some use of vulnerable versions of VxWorks, these products run on isolated units without customer network connectivity and are therefore not at risk. Roche Diagnostics products use a firewall that is not based on VxWorks and is therefore not itself susceptible to the URGENT/11 vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

 

Mitigations / Workarounds

No mitigations or workarounds are required for these vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

 

 

 

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

 

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]