Product Security Advisory

Publish Date: 2022-11-03

Last Update: 2022-11-03

Executive Summary

Roche is aware of the OpenSSL Punycode vulnerabilities. To date we have not identified any of our products to be vulnerable by virtue of not leveraging any of the affected versions. We are continuously evaluating and monitoring the situation and will provide an update if and where needed. If you have questions or need more information, please contact your local Roche affiliate.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2022-03-08

Last Update: 2022-03-08

Executive Summary

Roche is aware of the Axeda vulnerabilities and evaluating and assessing the situation and rolling out mitigations, if and where needed.

If you have questions or need more information, please contact your local Roche affiliate.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]

Publish Date: 2019-09-27

Last Update: 2019-09-27

Executive Summary

Roche is aware of a set of security vulnerabilities within a number of real-time operating systems (RTOS) - including Wind River’s VxWorks RTOS - that were disclosed recently by security researchers at Armis. These vulnerabilities, commonly referred to as URGENT/11, impact the TCP/IP stack of multiple RTOS and could lead to remote code execution which could allow an attacker to take over a system without interacting with the user.

As part of our product security policies, Roche Diagnostics has assessed our products for potential impacts from these vulnerabilities and determined that no actions are required for our products.

As a general security measure, Roche strongly recommends to thoroughly control network access to devices with appropriate mechanisms including the Roche firewall. We highly recommend to configure the operating environment according to Roche’s installation guidelines and to follow the recommendations in the product manuals.

Affected Products

Our review has identified a limited set of Roche Diagnostics products (IVD analyzers and systems) that use the VxWorks operating system. These fall into two categories:

1. Connected products that do not include vulnerable versions of VxWorks 
   
2. Offline products that may use vulnerable versions of VxWorks but are not at risk as they are not connected to the network
   

None of these products expose the vulnerabilities or are at risk.

Potential Impact

Our current assessment of the reported vulnerabilities is that Roche Diagnostics products are not directly impacted by the URGENT/11 set of vulnerabilities. While there is some use of vulnerable versions of VxWorks, these products run on isolated units without customer network connectivity and are therefore not at risk. Roche Diagnostics products use a firewall that is not based on VxWorks and is therefore not itself susceptible to the URGENT/11 vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

Mitigations / Workarounds

No mitigations or workarounds are required for these vulnerabilities.

For further information or concerns, please contact your local Roche Diagnostics office.

Contact Information

Roche Customers

Please contact your local Roche Diagnostics office

Security Researchers

For Diagnostics product-related security topics, please contact [email protected]

For general Roche related security topics, please contact [email protected]