Johnson & Johnson, the parent company of Ethicon Endo-Surgery, LLC, fixed an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11, according to a report with ICS-CERT.
Ethicon Endo-Surgery Generator Gen11, all versions released before November 29 suffer from the vulnerability.
Ethicon Endo-Surgery is a subsidiary of Johnson & Johnson and is a U.S.-based company that maintains offices in several countries around the world.
The Ethicon Endo-Surgery Generator Gen11 is deployed across the healthcare and public health sectors. This product sees action on a global basis.
The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products can end up bypassed, allowing for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability.
CVE-2017-14018 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8.
This vulnerability cannot be exploited remotely. No known public exploits specifically target this vulnerability. An attacker with high skill would be able to exploit this vulnerability.
Ethicon Endo-Surgery contacted users and initiated a field cybersecurity update to address the vulnerability in the Ethicon Endo-Surgery Generator Gen11.
The update will be made available November 29. Users with questions regarding the vulnerability or the product update are advised to contact their Ethicon Endo-Surgery sales representative or Ethicon Customer Support Center at 1-877-ETHICON.