Support and Services

Nurses looking at a chart together.

Customer Support

Security Bulletins

Canon Medical security bulletin image.

.NET 6.0 and Visual Studio Vulnerability

Published: Sept. 30, 2024

Description
.NET 6.0 and Visual Studio Denial of Service Vulnerability
CVE-ID and Link: CVE-2024-38095 NVD – CVE-2024-38095 (nist.gov)

Affected Product(s): Vitrea® Advanced Visualization

Version(s): 7.15.7, 7.15.7.SU01, 7.15.8, 7.15.8.SU01, 7.16.0, 7.16.0.SU01, 7.16.0.SU02, 7.16.0.SU03

Deployment Type(s): All

Note: For enterprise systems, this action is necessary for all servers with the affected Vitrea application versions. It is not required for thin client systems.

Recommended Actions
Canon Medical highly recommends that customers manually download and update the Microsoft runtime versions.

Updates can be found here:
https://dotnet.microsoft.com/en-us/download/dotnet/6.0
Install the latest versions of the following: ASP.NET Core Runtime, .NET Desktop Runtime, .NET Runtime

To confirm the updated runtimes are installed, from a Powershell console, issue the following command:
dotnet –list-runtimes

Verify that you see the expected (matching) version of all three runtimes:

  • Microsoft.AspNetCore.App
  • Microsoft.NETCore.App
  • Microsoft.WindowsDesktop.App

Note: This issue will be fixed in a future release.

 

For questions, contact your account manager or support at +1 952-487-9519.

NVIDIA GPU Display Driver – Security Issue

Published July 26, 2024

NVIDIA has released the following security announcement about CVE-2024-0107:
https://nvidia.custhelp.com/app/answers/detail/a_id/5557

This applies to all users with NVIDIA RTX, Quadro, and Nvidia Data Center GPU (vGPU) cards in their Vitrea deployment(s).

Specific driver updates for the NVIDIA graphics cards are listed below:

RTX/Quadro:

NVIDIA RTX/ Quadro, NVS
Windows
R550 All driver versions prior to 552.74 552.74
R535 All driver versions prior to 538.78 538.78
R470 All driver versions prior to 475.14 475.14

Data Center vGPU:

All versions up to and including 16.6 538.67 16.7 538.78
All versions up to and including 13.11 475.06 13.12 475.14

To protect your system, download and install this software update through the NVIDIA Driver Downloads Portal or, for the vGPU software update, through the NVIDIA Licensing Portal.

NVIDIA Driver Download Portal – vGPU Data Center Driver Download Location:
https://www.nvidia.com/Download/index.aspx?lang-en-us

NVIDIA RTX Server Driver release DCH (Windows Server 2019, Windows Server 2022) 552.74
https://www.nvidia.com/download/driverResults.aspx/228842/en-us/

NVIDIA RTX Server Driver release DCH (Windows 10 64-bit, Windows 11) 552.74
https://www.nvidia.com/download/driverResults.aspx/228841/en-us/

NVIDIA RTX Server Driver release DCH (Windows Server 2019, Windows Server 2022) 538.78
https://www.nvidia.com/download/driverResults.aspx/229004/en-us/

NVIDIA RTX Server Driver release DCH (Windows 10 64-bit, Windows 11) 538.78
https://www.nvidia.com/download/driverResults.aspx/228843/en-us/

NVIDIA RTX Server Driver release Standard (Windows Server 2016) 475.14
https://www.nvidia.com/download/driverResults.aspx/228840/en-us/

For more information: · Contact CMI Customer Support at support@mi.medical.canon

Microsoft Component of SQL Server Management Studio (SSMS) – Security Vulnerability

Published: May 28, 2024

Descriptions
Microsoft SQL Server Management Studio (SSMS) v18.12.1 installs an unnecessary software package called Azure Data Studio.

The Microsoft SSMS utility, installed by default in Vitrea AV, deploys an unnecessary software package “Azure Data Studio” that currently carries a high severity vulnerability regarding Improper Access Control (CVE-2024-26203).

Affected Product(s): Vitrea AV
Version(s): 7.16.0.SU01, 7.16.0, 7.15.8.SU01, 7.15.8, 7.15.7.SU01, 7.15.7, 7.15.6

Deployment Type(s): Workstation, Extend, Enterprise Management Server, Enterprise Single Server, Government Enterprise Single Server

Recommended Actions
Canon Medical highly recommends that customers manually remove Azure Data Studio by following these steps.
From the Start menu:

  • Right Click the Start button on the task bar.
  • Select ‘Apps and Features’ (Programs and Features on some Windows OSs).
  • An Apps & Features window will open, and there will be a list of all installed software.
  • Search or scroll through the list to find Azure Data Studio.
  • Click on Azure Data Studio to highlight and to reveal an uninstall option.
  • Click uninstall and then confirm to continue. You may be asked to authenticate with an admin-user account.
  • A confirmation will appear once the software has been removed.

Note: This issue will be fixed in a future release.

 

For questions, contact your account manager or support at +1 952-487-9519.

NVIDIA GPU Display Driver – Security Advisory

Published April 13, 2024

SUMMARY

NVIDIA has provided the following Security Announcement:

NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses multiple issues.

Specific driver update for vGPU Data Center cards and Quadro video cards is 535.33 for Windows 10/11 and Windows Server 2019/2022.  474.82 for Windows Server 2016The 16.4 driver bundle from the Nvidia Driver Download Portal for vGPU Data Center cards.

To protect your system, download and install this software update through the NVIDIA Driver Downloads Portal or, for the vGPU software update, through the NVIDIA Licensing Portal.

Impact assessment and details on these high severity vulnerabilities are available through the NVIDIA Security Advisory provided at the below.

REFERENCES AND SERVICES:

NVIDIA Security Advisory

https://nvidia.custhelp.com/app/answers/detail/a_id/5520

NVIDIA Driver Download Portal – vGPU Data Center Driver Download Location

https://www.nvidia.com/Download/index.aspx?lang=en-us

NVIDIA Windows 10/11 DCH driver

https://www.nvidia.com/download/driverResults.aspx/220140/en-us/

NVIDIA Windows Server 2019/2022 DCH Driver

https://www.nvidia.com/download/driverResults.aspx/220141/en-us/

NVIDIA Windows Server 2016 Standard Driver

https://www.nvidia.com/download/driverResults.aspx/220534/en-us/

RESOLUTION

Canon Medical strongly recommends installing vendor patches and  security updates as soon as possible.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2022-38765 Vitrea View 7.x Indirect Object Access Vulnerability – Security Advisory

Published: December 9, 2022

An unscored (as of December 9, 2022) vulnerability, CVE-2022-38765, has been identified in Vitrea View versions prior to 7.8 that have custom patient SSO access enabled.

EXECUTIVE SUMMARY

In August 2022 a security researcher identified a vulnerability in a custom patient SSO module for Vitrea View 7.7.6 where an authenticated patient could retrieve information unrelated to their medical record. The exploit requires valid credentials and the ability to modify and monitor “POST” variables.
This vulnerability was brought to Canon Medical’s attention in August 2022, and a fix

was developed, tested, and applied in all affected systems within 48 hours.

 

Products that are not affected by this Vitrea View vulnerability:

  • Vitrea Advanced Visualization
  • Vitrea View 7.8 and above
  • Vitrea Read (formerly known as Easy Viz)
  • Vitrea Connection
  • Rialto products
  • Zillion products
  • Solution Health (Cloud and On-Prem)
  • Any Canon Medical modality

Products that are affected by CVE-2022-37461:

  • Vitrea View (versions < 7.8)

RESOLUTION

No further actions are required at this time to mitigate vulnerability CVE-2022-38765. Canon Medical recommends that all customers run Vitrea View behind a web application firewall and/or load balancer to provide additional layers of security as part of a “defense in depth” or “zero trust security” posture.

If you have any questions, please contact our support team.

CVE-2022-37461 Vitrea View 7.x Cross-site Scripting Vulnerabilities – Security Advisory

Published: September 30, 2022

An unscored (as of September 30, 2022) vulnerability, CVE-2022-37461, has been identified in Vitrea View versions prior to 7.7.6.

EXECUTIVE SUMMARY

This vulnerability has two methods of attack – a “pre-authorization” exploit and a “post-authorization” exploit.  Both exploits involve attackers creating URLs that point to vulnerable Vitrea View installations and which contain malicious code, and the “post-authorization” exploit also requires convincing an authenticated Vitrea View user to click on the malicious link.

This vulnerability was brought to Canon Medical’s attention as part of a routine penetration test in a testing environment, was fixed, and was included in Vitrea View 7.7.6, released April 29, 2022. No patient information was accessed or exfiltrated.

Products that are not affected by this Vitrea View vulnerability:

  • Vitrea Advanced Visualization
  • Vitrea View 7.7.6 and above
  • Vitrea Read (formerly known as Easy Viz)
  • Vitrea Connection
  • Rialto products
  • Zillion products
  • Solution Health (Cloud and On-Prem)
  • Any Canon Medical modality

Products that are affected by CVE-2022-37461:

  • Vitrea View (versions < 7.7.6)

RESOLUTION

All customers currently running a version of Vitrea View 7.7.x prior to 7.7.6 should upgrade to the latest Vitrea View version.

Canon Medical recommends that all customers run Vitrea View behind a web application firewall and/or load balancer to provide additional layers of security as part of a “defense in depth” or “zero trust security” posture.

If you have any questions, please contact our support team.

Spring Framework “SpringShell” — Security Advisory

Published: April 07, 2022

Updated: May 30, 2023

Executive Summary

A critical vulnerability, CVE-2022-22965, has been identified in Spring Framework. This vulnerability is affecting the entire software industry, including some Canon Medical Informatics products. Specific combinations of Apache Tomcat and the Spring Boot executable are susceptible to a remote code execution (RCE) vulnerability.

Products that are not affected by SpringShell vulnerability:

  • Vitrea Advanced Visualization (all versions prior to 7.14.x)
  • Vitrea View
  • Solution Health (Cloud and On-Prem)
  • Easy Viz
  • Zillion products
  • Vitrea Connection
  • Rialto products

Products that are affected by SpringShell vulnerability:

  • Vitrea Advanced Visualization (7.15.x and 7.14.x)

Mitigation:

The remediation recommended for this vulnerability is in the most updated version of the affected product; Vitrea AV

If you have any questions, please contact our support team.

CVE-2022-0778 – Open SSL Infinite loop – Security Advisory

Published: March 15, 2022

Updated: March 22, 2022

 

VULNERABILITY SUMMARY

The custodians of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates.

Tracked as CVE-2022-0778 the issue stems from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in what’s called an “infinite loop.” The flaw resides in a function called BN_mod_sqrt() that’s used to compute the modular square root.

 

REFERENCES AND SERVICES:

https://nvd.nist.gov/vuln/detail/CVE-2022-0778

https://www.openssl.org/news/secadv/20220315.txt

https://www.cisa.gov/uscert/ncas/current-activity/2022/03/17/openssl-releases-security-updates

 

RESOLUTION

Canon Medical recommends taking OpenSSL updates as they are made available.

Please use the references above to determine which update is applicable to your OpenSSL deployment.

 

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact  Canon Medical Customer Success.

Apache Log4j Security Vulnerabilities – Zero Day – Security Advisory

Published: December 12, 2021      Updated: March 1, 2022

Executive Summary

Critical vulnerabilities, CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832  have been identified in Apache Log4j, a popular Java based logging framework. This vulnerability is affecting the entire software industry, including some Canon Medical Informatics products. Apache Log4j 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can take full control of a vulnerable machine. As such, it is critical to take immediate actions to mitigate this vulnerability.

Products that are not affected by Apache Log4j vulnerability:

  • Vitrea View
  • Vitrea Advanced Visualization 6.x
  • Solution Health (Cloud)
  • Easy Viz
  • Zillion
  • Rialto Connect and Rialto Vault
  • Olea Sphere

– Applications integrated with Vitrea (iCAD, Invia, Medis, Mevis, Mirada, Olea and Tomtec ) are not affected.

Products that are affected by Apache Log4j vulnerability:

  • Vitrea Advanced Visualization 7.x
  • Vitality XT server
  • Vitrea Connection 8.x
  • Rialto 7.x
  • Solution Health (On-Prem)
  • Vitrea DataStream

Recommended actions for mitigation:

External Network

  • Update firewall configurations to block outbound connections on the LDAP port. Please contact your IT department to update your firewall configurations. As an example, please see the following industry-recommended mitigation.
  • Patch the offending log4j libraries in affected products to remove the specific piece of code that enables the vulnerability.

Internal Network

The latest update is a non-functional update. If your site has already ran a previous version of this mitigation, running this latest version is unnecessary

NOTE* – If you ran the mitigation prior to this update, you will need to run this updated/comprehensive script to mitigate CVE-2021-44832 vulnerability.

Please monitor this website for future updates.

If you have any questions, please contact our support team.

Microsoft Windows Installer Elevation of Privilege Vulnerability – Security Advisory

Update: Nov 9, 2021

Published: Nov 12, 2021

Microsoft continues to address this vulnerability involving the windows installer elevation of privilege in Windows operating systems. Similarly to the announcements in recent weeks, a new vulnerability has been discovered. Microsoft has yet to patch this vulnerability.

VULNERABILITY SUMMARY

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Windows Installer service. By creating a junction, an attacker can abuse the service to delete a file or directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. **

RELATED LINKS

Nov 23, 2021

MISC:https://www.zerodayinitiative.com/advisories/ZDI-21-1308/

MISC:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41379

URL:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41379

https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html

Please continue to monitor these Microsoft links for relevancy to your systems and patch your systems as they become available.

Microsoft Windows Print Spooler Remote Code Execution Vulnerability – Zero Day

Published: August 11, 2021

Microsoft continues to address multiple high severity vulnerabilities involving the print spooler in most Windows operating systems. Similarly to the announcements in recent weeks, a new vulnerability has been discovered. Microsoft has yet to patch this vulnerability.

VULNERABILITY SUMMARY

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Security patches have not been released as of the Patch Tuesday on August 10, 2021. Microsoft has provided a workaround within the link below.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

**

RELATING LINKS:

Jul 15, 2021
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Please continue to monitor these Microsoft links for relevancy to your systems and patch your systems as they become available.

Microsoft Windows Print Spooler Remote Code Execution Vulnerability – Security Advisory

Update: August 13, 2021

Published: July 2, 2021

Microsoft has released a set of out-of-band updates to remediate these vulnerabilities. These patches are available at the link referenced below.

NOTE: Several vulnerability watchdog publications are challenging the comprehensive efficacy of the latest out-of-band updates released July 7, 2021 citing that similar high severity vulnerabilities remain outstanding. Microsoft has yet to respond to these allegations at the time of this update.

Please continue to monitor Microsoft updates on this evolving issue and follow the guidance as it becomes available.

VULNERABILITY SUMMARY

Microsoft has resolved the vulnerability called “PrintNightmare”, that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability.

This vulnerability affects all Vitrea products that are installed on Windows server operating systems and Windows workstation operating systems.

Microsoft has now provided windows updates to resolve this issue. Please take your windows updates accordingly.

REFERENCES AND SERVICES:

Windows Print Spooler Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

RESOLUTION

Canon Medical recommends taking Windows Updates as they are available and check back to this page for updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

NVIDIA GPU Display Driver – Security Advisory

Published: May 27, 2021

SUMMARY

NVIDIA has provided the following Security Announcement:

NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses multiple issues that may lead to code execution, denial of service, escalation of privileges, and information disclosure.

Specific driver update for vGPU and Quadro video cards is 452.96

To protect your system, download and install this software update through the NVIDIA Driver Downloads Portal or, for the vGPU software update, through the NVIDIA Licensing Portal.

Impact assessment and details on these high severity vulnerabilities are available through the NVIDIA Security Advisory provided at the below.

REFERENCES AND SERVICES:

NVIDIA Security Advisory

https://nvidia.custhelp.com/app/answers/detail/a_id/5172

NVIDIA Driver Download Portal

https://www.nvidia.com/Download/index.aspx?lang=en-us

RESOLUTION

Canon Medical strongly recommends installing vendor patches and  security updates as soon as possible.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

TOMTEC Vulnerability Disclosure 2021-0001 – Security Advisory

Published: May 17, 2021

VULNERABILITY SUMMARY

TOMTEC Imaging Systems GmbH has provided Canon Medical with a vulnerability disclosure.

The TOMTEC-ARENA product is integrated with Vitrea and therefore may affect your deployment if you have purchased TOMTEC-ARENA software.

Impact assessment and details on these vulnerabilities are available through the TOMTEC Vulnerability Disclosure provided below.

REFERENCES AND SERVICES:

TOMTEC Vulnerability Disclosure Information 2021-0001

https://www.vitalimages.com/wp-content/uploads/Vulnerability-Disclosure-Form-2021-0001.pdf

RESOLUTION

Canon Medical recommends updating to the latest version of Vitrea that will contain the TOMTEC-ARENA update once it has been released. Check to this page for updated information.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

Adobe Flash Player EOL and Removal – Security Advisory

Published: January 13, 2021

Adobe stopped supporting Flash Player beginning December 31, 2020 (“EOL Date”), as previously announced in July 2017. In addition, to help secure users’ systems, Adobe blocked Flash content from running in Flash Player beginning January 12, 2021. Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

For removal of Adobe Flash plugin from Microsoft Internet Explorer, you may install the security patch by running Windows Update.

VULNERABILITY SUMMARY

Adobe Flash EOL

REFERENCES AND SERVICES:

Windows

Update for Removal of Adobe Flash Player for Windows can be found here KB4577586

Adobe

Standalone

https://www.adobe.com/products/flashplayer/end-of-life.html 

Enterprise

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html 

For general information on Flash Player’s EOL, please see Adobe’s general FAQ .

 

RESOLUTION

Canon Medical strongly recommends following this software removal guidance and installing all security patches provided by Microsoft.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2020-10713 ‘BootHole’ attack impacts Windows and Linux systems using GRUB2 and Secure Boot – Initial Security Advisory

Published: July 29, 2020
Updated: September 10, 2020

VULNERABILITY SUMMARY

Eclypsium researchers have discovered a vulnerability — dubbed “BootHole” — in the GRUB2 bootloader configuration file utilized by most Linux systems that can be used to gain arbitrary code execution during the boot process, even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device.

This configuration file is an external file commonly located in the EFI System Partition and can therefore be modified by an attacker with administrator privileges without altering the integrity of the signed vendor shim and GRUB2 boot loader executables. This could allow an authenticated, local attacker to modify the contents of the GRUB2 configuration file to ensure that the attacker’s chosen code is run before the operating system is loaded.

The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels and hypervisors. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected.

Canon Medical is investigating this broad reaching vulnerability to define the scope of products affected and to determine a list of vendors providing relevant updates.

REFERENCES AND SERVICES:

System patching and mitigation guidance is provided by the following vendors:

HPE Servers:

HPE Security Bulletin: https://www.hpe.com/us/en/services/security-vulnerability.html

Impact statement: https://techhub.hpe.com/eginfolib/securityalerts/Boot_Hole/boot_hole.html

  • A number of items need updating that are listed within the Impact statement. Such as firmware updates for HPE Service Pack for ProLiant (SPP) and HPE Intelligent Provisioning.

Secure Boot DBX Updater for Windows and UEFI: https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00105191en_us

HP Workstations:

HP Workstations Security Bulletin: https://support.hp.com/us-en/document/c06655639

HP Workstations Security Bulletin:  https://support.hp.com/us-en/document/c06707446

VMware:

VMware Bulletin: https://kb.vmware.com/s/article/80181

Dell Workstations:

Dell Security Bulletin:

https://www.dell.com/support/article/en-us/sln322283/dell-response-to-grub2-vulnerabilities-which-may-allow-secure-boot-bypass?lang=en

Additional Information:

https://www.dell.com/support/article/en-us/sln322287/additional-information-regarding-the-boothole-grub-vulnerability?lang=en

For more information and updates on the GRUB2 vulnerability, visit

NVD

https://nvd.nist.gov/vuln/detail/CVE-2020-10713

Carnegie Mellon

https://www.kb.cert.org/vuls/id/174059

RESOLUTION

Canon Medical recommends installing the applicable patches related to your deployment as soon as possible.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2020-1472 – Netlogon Elevation of Privilege Vulnerability – Critical Advisory

Published: August 11, 2020

Microsoft Corporation has announced an elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

VULNERABILITY SUMMARY

CVE-2020-1472 is an elevation of privilege vulnerability that exsists in Windows’ Netlogon. An unauthenticated user could use MS-NRPC to connect to a domain controller as a domain administrator. An attacker who successfully exploits the vulnerability can run a specially crafted application on a device on the network.

Microsoft adds an important note to their advisory that this patch is the first of two patches to fix this vulnerability. The second patch is slated to be released in Q1 2021.

NOTE: Canon Medical is aware of this critical vulnerability and we are in the process of testing our products in the context of the Phase 1 patch.

REFERENCES AND SERVICES:

Microsoft encourages administrators to review the following resource(s) and apply the necessary patches to affected systems for Phase 1 of the update:

Microsoft CVE-2020-1472

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

RESOLUTION
Canon Medical strongly recommends installing vendor patches and updates as soon as possible.

Patches for all impacted versions can be found at the links in the References section above.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

“Ripple 20” – Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities – Critical Advisory

Published: June 16, 2020

The Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors.

VULNERABILITY SUMMARY

A networking stack is a software component that provides network connectivity over the standard internet protocols. In this specific case these protocols include ARP, IP (versions 4 and 6), ICMPv4, UDP and TCP communications protocols. The Treck networking stack is used across a broad range of industries (medical, government, academia, utilities, etc.), from a broad range of device manufacturers – a fact which enhances their impact and scope, as each manufacturer needs to push an update for their devices independently of all others.

The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.

NOTE: This is a hardware-centric suite of vulnerabilities. The “Ripple20” is not specific to Canon Medical software.

NOTE: Canon Medical has discovered that related vendor patching for this attack vector has extended beyond the 19 vulnerabilities identified in the original “Ripple 20” announcement by JSOF (see below).

REFERENCES AND SERVICES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates to affected systems:

JSOF’s original “Ripple 20” write up:

https://www.jsof-tech.com/ripple20/

Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

Workstations:

The vulnerabilities in the Intel product flow downhill to the HP Inc and Dell workstations via the Intel Chipsets. Affected products can be found at the following locations:

HP Inc:

https://support.hp.com/us-en/document/c06655639

Dell Inc:

https://www.dell.com/support/article/en-us/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en

https://www.dell.com/support/article/en-us/sln321723/june-2020-intel-platform-update-ipu-2020-1-impact-on-dell-and-dell-emc-products?lang=en

https://www.dell.com/support/article/en-us/sln321727/dsa-2020-143-dell-client-platform-security-update-for-intel-platform-updates-2020-1?lang=en

 

Servers:

HPE:

https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html

HPE – ProLiant Gen10 iLO 5 vulnerabilities.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04012en_us

No other hardware supported by Canon Medical has been determined affected.

 

RESOLUTION
Canon Medical strongly recommends installing the vendor patches and updates as soon as possible.

Patches for all impacted versions can be found at the links in the References section above.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

Microsoft Guidance for Disabling SMBv3 Compression “SMBGhost”– Microsoft Security Advisory UPDATE

Published: March 11, 2020

Updated: March 12, 2020

Microsoft has released a security advisory ADV200005 and has published an update that includes the affected software versions as well as an appropriate patch for each.

Patches and affected software mapping can be found here CVE-2020-0796. You may also install the patch by running Windows Update.

 

VULNERABILITY SUMMARY

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

Microsoft will update its advisory listed above when further updates are available.

REFERENCES

MITRE is tracking this vulnerability as CVE-2020-0796.

 

RESOLUTION

Canon Medical strongly recommends installing this patch as well as all security patches provided by Microsoft.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

Scripting Engine Memory Corruption Vulnerability – Microsoft Zero-Day Security Advisory

Published: January 19, 2020

Microsoft has released a security advisory (ADV200001) that currently only includes workarounds and mitigations that can be applied in order to safeguard vulnerable systems from attacks. At the time of writing, there is no patch yet available for this issue. Microsoft said it is working on a fix, to be released at a later date.

While Microsoft said it was aware that the IE zero-day was being exploited in the wild, the company described these as “limited targeted attacks,” suggesting the zero-day was not broadly exploited, but rather that it was part of attacks aimed at a small number of users. These limited IE zero-day attacks are believed to be part of a larger hacking campaign, which also involves attacks against Firefox users.

 

VULNERABILITY SUMMARY

A remote code execution (RCE) vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

REFERENCES

This IE RCE zero-day is also tracked as CVE-2020-0674

RESOLUTION

While this vulnerability and its current Microsoft-provided workaround is not anticipated to directly affect Canon Medical Products, deployments of said products include the affected Internet Explorer file(s) listed in the advisory. Corporations should follow their company policies when considering the configuration mitigations provided in the Microsoft Advisory ADV200001 linked above.

Canon Medical will continue to monitor announcements and progress regarding future patching for this vulnerability and will distribute updated communication as needed.

Canon Medical recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

Multiple Remote Desktop Server/Client Vulnerabilities – CISA Alert

Published: January 14, 2020

Microsoft has released security updates to address multiple critical remote code execution vulnerabilities, CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611.

VULNERABILITY SUMMARIES

Windows Remote Desktop Server Vulnerabilities – CVE-2020-0609/CVE-2020-0610

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

CVE-2020-0609/CVE-2020-0610:

  • Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
  • Occurs pre-authentication; and
  • Requires no user interaction to perform.

The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities.

Windows Remote Desktop Client Vulnerability – CVE-2020-0611

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it. An attacker would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.

The update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.

CVE-2020-0611:

  • Affects all supported Windows Server and Workstation versions (Support for Server 2008 and Windows 7 ends January 14, 2020)

The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.

 

RESOLUTION
Microsoft strongly recommends installing the Windows Updates as soon as possible.

Patches for all impacted versions can be found at the specific CVE links in the summary sections above.

Canon Medical recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2019-13720 | Use-after-free in audio – Security Bulletin

Published: October 31st, 2019

Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

VULNERABILITY SUMMARY:

Google is currently not publishing a summary of the vulnerability.

The following is an announcement from the link provided above:

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

REFERENCES:

RESOLUTION:
Canon Medical recommends checking  your Chrome browser Help->About Google Chrome and confirming that you’re on the latest Chrome update 78.0.3904.87.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2019-1367 | Internet Explorer Scripting Engine Memory Corruption Vulnerability – Security Bulletin

Published: September 23, 2019

Microsoft has released an out of band security updates to address a scripting engine memory corruption vulnerability, CVE-2019-1367 for the following version of Internet Explorer:

  • Internet Explorer 11

VULNERABILITY SUMMARY:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

REFERENCES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates:

Other useful references:

RESOLUTION:
Microsoft strongly recommends installing the Windows Update as soon as possible.

There is a vulnerability that is being actively exploited in the wild.

Canon Medical recommends installing the Microsoft patches as they are released.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2019-1181 and CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability – Security Bulletin

Published: August 14, 2019

Microsoft has released security updates to address two remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, in the following operating systems:

  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10

VULNERABILITY SUMMARY:

An attacker could exploit these vulnerabilities to take control of an affected system. Similar to CVE-2019-0708 – dubbed BlueKeep and announced in June 2019 – these vulnerabilities are considered “wormable” because malware exploiting these vulnerabilities on a system could propagate to other vulnerable systems.

REFERENCES:

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and users and administrators to review the following resources and apply the necessary updates:

Other useful references:

RESOLUTION:
Microsoft strongly recommends installing the Windows Update as soon as possible.

Both patches for all impacted versions can be found at the specific CVE links in the References section above.

Canon Medical recommends installing the Microsoft Monthly Roll-up Updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

The DICOM Standards Organization DICOM File Preamble – Security Bulletin

Published: July 19, 2019

DICOM.org has reported the following Security Advisory:

VULNERABILITY SUMMARY

The DICOM Standards Organization has reported a data validation vulnerability in the preamble defined by the DICOM File format. According to this report, the vulnerability is exploitable by embedding executable code into the 128-byte preamble. A malicious actor could modify a DICOM file preamble so that it is treated as both an executable program and as a DICOM file. A user might be somehow convinced to execute the file.

Note:

The DICOM Network Communications protocol between modalities, PACS, and display systems does not transmit a preamble and is not subject to this vulnerability.

References:

DICOM FAQ Response to 128-byte preamble vulnerability

RESOLUTION

Review link provided above for details and vulnerability scenarios.

For Canon Medical customers, always exercise caution by reviewing or AV (Antivirus)  scanning the contents of any portable media (CDs, USBs, etc.) to determine that all files are legitimate DICOM files. Canon Medical recommends that affected users reach out to their specific AV vendor to determine if their solution properly scans for the affected file type. In the situation where an AV solution cannot be installed, affected users should take steps to make sure that they have processes and procedures in place to scan portable/removable media for suspicious files before introducing the media into their medical networks.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability – Security Bulletin

Published: June 20, 2019

Microsoft® has provided the following Security Bulletin for the Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. BlueKeep) Vulnerability CVE-2019-0708:

VULNERABILITY SUMMARY
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

References:

Only impacted versions are listed:

  • Windows 7 for X64-based Systems Service Pack 1 for Vitrea 6.x and Vitrea 7.x
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 for Vitrea 6.x

RESOLUTION
Microsoft strongly recommends taking the Windows Update as soon as possible.

The required patches for all impacted versions can be found here.

Canon Medical recommends taking the Microsoft Monthly Updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

HPE Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers – Security Bulletin

Published: June 17, 2019

Hewlett Packard Enterprise has provided the following Security Bulletin:

VULNERABILITY SUMMARY
Vulnerabilities discovered in HPE Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers could be exploited remotely to allow Cross-Site Scripting (XSS), Unauthorized Data Injection, and Buffer Overflow.

References:

Only impacted versions are listed:

  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers 1.39 and earlier
  • HPE Integrated Lights-Out 4 (iLO 4) 2.61b and earlier

RESOLUTION
HPE has provided updated firmware for Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 to resolve these issues.

  • For iLO 4 (GEN 9), acquire firmware version 2.70 (or later) here and install it
  • For iLO 5 (GEN 10), acquire firmware version 1.40 (or later) here and install it

Hewlett Packard Enterprise strongly recommends the information in this Security Bulletin should be acted upon as soon as possible.

Canon Medical recommends subscribing to the Hewlett Packard Enterprise Security Bulletins for future security updates.

Disclaimer: When following any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions, please contact Canon Medical Customer Success.

Microarchitectural Data Sampling (a.k.a. MDS, ZombieLoad, RIDL & Fallout) – Security Advisory

Published: June 3, 2019

HPE has provided the following Security Announcement:

On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).  These security vulnerabilities in CPUs may allow information disclosure. Intel is releasing microcode updates (MCU) to mitigate these potential vulnerabilities. These are coupled with corresponding updates to operating system and hypervisor software.

More details are available through CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, and the Intel Security Advisory.

Impact assessment for HPE Products is available here.

Additional details on HPE Support Center.

Disclaimer: If you follow the any of the links provided you will be leaving Canon Medical’s website. Canon Medical is not responsible for the content, security or availability of linked sites.

If you have any questions please contact Canon Medical Customer Success.

Microsoft® Security Update (Out of Band) CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability – Critical

Published: December 19, 2018

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

If you have any questions please contact Customer Success.

Microsoft® Remote Desktop Services Security Update – Potential Compatibility Issue

Published: June 4, 2018

Microsoft has recently released a security update for a vulnerability in Remote Desktop Services(RDS). It has been reported that if two machines do not have the same RDS patch install level, an incompatibility issue between them can prevent log in.

This RDS update has been released through the standard Windows Update distribution channels and will be installed to those machines taking the standard monthly Windows Updates.

The RDS security update details are here:

CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

Canon Medical strongly recommends installing these latest security patches comprehensively to all product systems to avoid this issue.

If you have any questions, please contact Customer Success.

Microsoft® Security Update I Critical

CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

Published: May 8, 2018

Microsoft has announced and released its standard monthly security roll-up for May 2018. In it are critical updates for two vulnerabilities that were considered zero-day status until this release. These two specific vulnerabilities are unique in that they are currently being exploited in the wild. In addition, it is noteworthy that there are twenty-one (21) other critical vulnerabilities remedied in this update. As a result, Canon Medical strongly recommends to install these latest security patches to all product systems as soon as possible.

At this time no Canon Medical customers have reported exploitations involving these two vulnerabilities.

For more details and a full list of affected systems, click here:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

If you have any questions please contact Customer Success.

Microsoft® Security Update (Out of Band) CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability

Published: March 29, 2018

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038

If you have any questions please contact Customer Success.

Adobe Security Advisory APSA18-01

Published February 1, 2018

A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

A full summary containing current mitigations, affected products and plans for patching can be accessed here: https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

Adobe will address this vulnerability in a release planned for the week of February 5.

For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

Please refer to this Software Security Updates page for the latest information from Canon Medical and contact Customer Success if you have any questions.

Customer Success Alert

Meltdown and Spectre Side-Channel Vulnerabilities

The United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, has released the following alert regarding the security vulnerabilities “Meltdown and Spectre.” The formal source for this alert is hosted here: US-CERT: Meltdown and Spectre Side-Channel Vulnerabilities.
Original release date: January 03, 2018

“US-CERT is aware of a set of security vulnerabilities – known as Meltdown and Spectre – that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Users and administrators are encouraged to review Vulnerability Note VU#584653Microsoft’s Advisory, and Mozilla’s blog post for additional information and refer to their OS vendor for appropriate patches.

US-CERT is not aware of any active exploitation at this time and will provide additional information as it becomes available.”

This is a broad-based set of vulnerabilities that requires security patching from many contributors (e.g., hardware vendors, Microsoft, VMWare, etc.) for complete remediation. The Intel chipsets that Canon Medical’s software runs upon are directly affected by this finding.

US-CERT advises that the changes to accommodate/remediate this issue could impact one or more of our applications. As patches become available, we will test our applications in their context and provide our customers with any specific cautions or additional instruction.

Please refer to this Software Security Updates page for the latest information from Canon Medical and contact Customer Success if you have any questions.

Microsoft® Security Advisory 4010323

Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11

Published: May 9, 2017

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates. For more information, please see Windows Enforcement of SHA1 Certificates.

For more details and a full list of affected systems, click here: https://technet.microsoft.com/en-us/library/security/4010323

If you have any questions please contact Customer Success.

Microsoft® Security Bulletin (MS17-010) – Critical

Canon Medical strongly recommends installing the latest security updates from Microsoft as soon as they are made available.

Canon Medical recommends applying MS17-010 to all your Vitrea platforms to protect against the WannaCry malware.

  • VitreaAdvanced / Vitrea® Advanced Visualization
    • enterprise deployment
    • Vitrea Workstation or workstation deployment
    • Vitrea Extend or extend deployment
  • Vitrea View
  • Vitality XT

If you cannot download the Windows update the Workaround can also be found in the link below to protect the system(s).

For more information see the Microsoft Security Bulletin MS17-010 – Critical.  If you have any questions please contact Customer Success.

Vitrea Advanced Running VMware Tools

Version in NGC/C# Client Version in Tools Info Screen Result
9541 9.10.5 – 2981885 NOT RECOMMENDED
10240 10.0.0 – 3000743 NOT RECOMMENDED

Canon Medical recommends deploying a version of VMware Tools on Vitrea Advanced servers that does not result in this behavior. The table below shows the currently recommended versions.

Version in NGC/C# Client Version in Tools Info Screen Result
9536 9.10.0 – 2476743 OK
9537 9.10.1 – 2791197 OK
10245 10.0.5 – 3227872 OK

Adobe® Reader® for Windows®

Adobe has released a critical security bulletin and related security updates for Adobe Reader for Windows. Canon Medical recommends users update their product installations to the latest versions.

  • Users of Adobe Reader XI (11.0.20) and earlier versions should update to version 11.0.21.
  • Users of Adobe Reader DC Classic (2015.006.30306) and earlier versions should update to version 2015.006.30352.

For more information, see the Adobe Security Bulletin released on January 10, 2017 and recently updated via CVE-2017-3124.

To upgrade Adobe Reader, downloads can be found here.

All third party marks are property of their respective owners and have protection in the United States and/or other countries.

Adobe® Flash® for Windows®

Adobe has released security updates for Adobe Flash for Windows. Canon Medical recommends users who have installed Adobe Flash to view Help and Training videos update their product installations to the latest versions. Canon Medical does not distribute Adobe Flash but it can be used with the Canon Medical products.

  • Users of the Adobe Flash Player for Windows should update to Adobe Flash Player 18.0.0.209.


For more information, see the Adobe Security Bulletin released on July 14, 2015. This vulnerability is also known as ActionScript 3 opaqueBackground and BitmapData classes of Flash Player Exploitation CVE-2015-5122CVE-2015-5123.

If you wish to upgrade Adobe Flash the latest update downloads can be found here.

Microsoft® Windows® Update MS15-061 – KB3057839

Canon Medical uncovered an issue with the Microsoft Windows Update MS15-061 – KB3057839 that was released on June 9, 2015. If this Microsoft Update is applied to the Microsoft operating system, Vitrea® reports will be blacked out when exported to a DICOM endpoint.

Canon Medical is working directly with Microsoft to resolve the problem.

This patch affects all versions of Vitrea deployments on Windows Server® 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, and Windows 7 SP1.

Removing this Microsoft update or preventing this update’s installation will allow Vitrea reports to export as expected.

 

Canon Medical Support

Please contact Canon Medical Customer Support with any questions or variations experienced with this issue.

 

Microsoft Technical Information

Microsoft® 0 Day Patch

On April 26, 2014 Microsoft announced a high impact vulnerability that affects Internet Explorer versions 6 through 11. This vulnerability could allow remote code execution on any system that is using these versions of Internet Explorer. On May 1, Microsoft released a patch that fixes this exposure.

Canon Medical has tested the patch to this vulnerability and confirmed that installing the patch does not negatively impact any Vitrea® products.

Canon Medical strongly recommends that all organizations apply this patch as soon as possible to all systems running any Vitrea software.

References:
Microsoft Security Advisory 2963983 – https://technet.microsoft.com/library/security/2963983
National Vulnerability Database – http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776

Heartbleed Virus

Canon Medical has tested our Vitrea® software and confirmed that we are not affected by the Heartbleed virus.

If you have any questions on either of these issues, please call Canon Medical Customer Support at support@mi.medical.canon or 800.208.3005.


Microsoft
®, Windows® and Microsoft Windows Server® are registered trademarks of Microsoft Corporation.

Adobe®, Flash® and Reader® are registered trademarks of Adobe Systems Incorporated.

Canon Medical is a trademark of Canon Medical Informatics, Inc. Marks not owned by Canon Medical are the property of their respective holders.