Biosense Webster Inc. (BWI), a Johnson & Johnson company, has a software update that applies operating system patches and anti-virus signature updates to close vulnerabilities in the operating system of the CARTO 3 System, a 3D cardiovascular mapping platform, according to a report with ICS-CERT.
This update will be applied to CARTO 3 Systems this month as part of the free-of-charge CARTO 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO 3 Systems running Version 4 (V4).
If the system is networked, the network interface for CARTO 3 V4 is sufficiently restricted by a software firewall to provide users reasonable assurance it will not be exploited remotely or via malware/ransomware.
If an attacker has persistent physical access to a CARTO 3 V4 System, the attacker could exploit the vulnerabilities in the operating system. This could allow the attacker to access information stored in the device, including individually identified health information about patients, affect the integrity of CARTO 3, or deny availability of the device. If the CARTO 3 V4 System is networked, an attacker with persistent physical access may also be able to access other systems within the user’s network.
CARTO 3 Systems manufactured before April this year suffer from the issues.
BWI reported controlled risks in the CARTO 3 System related to operating system vulnerabilities and outdated anti-virus signatures. Click here for a table providing CVE numbers, Microsoft vulnerability tracking numbers, and titles.
These vulnerabilities cannot be exploited remotely. Even if the CARTO 3 V4 System is networked, its network interface is restricted by a software firewall. These vulnerabilities require physical access to the CARTO 3 V4 System to exploit.
Exploits targeting these vulnerabilities exist and are publicly available.
Exploiting these vulnerabilities would be difficult because an attacker must have physical access to the device and knowledge of the public exploits to exploit these vulnerabilities.
BWI, a Johnson & Johnson company, is a U.S.-based company that maintains offices in several countries around the world, including the U.S., Asia, Europe, Middle East, and Africa.
The affected product, the CARTO 3 V4 System, is an imaging device that uses electromagnetic technology to create real-time three-dimensional (3D) maps of a patient’s cardiac structures. According to BWI, CARTO 3 sees use across the healthcare and public health sector. BWI estimates these products see action primarily in the United States, Asia, Europe, Middle East, and Africa.
Physical security for the CARTO 3 System is a critical control that must be employed by device users to limit the exposure of identified risks and vulnerabilities that can be exploited with persistent physical access to the device.
BWI will be contacting users to initiate a software update in the field to address vulnerabilities within the CARTO 3 System.
Click on the Johnson & Johnson Product Security website for the latest security information.