Security Information: Remote desktop service vulnerability (CVE-2019-0708)


Canon Medical Systems Security Advisory

Overview
It was announced that there is a security vulnerability in the Remote Desktop Service (software for remote control from other computers) in the Windows OS. And there is a possibility that an attacker who successfully exploited this vulnerability could install software, view data, change data, or delete data. At this time, no attack code or attack damage that exploits this vulnerability has been confirmed.


Security Risk Evaluation Result
The evaluation results of Common Vulnerability Scoring System (CVSS) is 9.8 (critical level) and the degree of impact on confidentiality, integrity, and availability is also rated as “high”. The attack method is as simple as sending a specially crafted RDP request to the remote desktop service of the target system.


Affected products


 VL Medical Imaging Products
 
(Windows XP/Windows 7)
- Infinix-i V4.x/V5.x (DFP)
 
(Windows XP)
- Infinix-i V4.x/V5.x (Angio Workstation)
 
(Windows XP)
- Alphenix V8.x     (Angio Workstation)
 
(Windows 7)

 CT Medical Imaging Products
 
(Windows Server 2003 / Windows Server 2008)
- TSX series with SUREXtension option (COT-49D)
 


 MR Medical Imaging Products
 
(Windows XP/Windows 7)
- MRT series
 
(Windows XP)
- MRT series
 
(Windows 7)


Resolution
Canon Medical Systems Corporation will provide the Microsoft update for the following systems.


 CT TSX series with SUREXtension option
 
(Windows Server 2003 / Windows Server 2008)
- Release date: 06/03/2019 (Release No.17 or later)

 MR MRT series
 
(Windows 7)
- Release date: 06/27/2019 (Release No.18 or later)


Canon Medical Systems Corporation will provide risk mitigation measures for the following systems.


 VL Infinix-i V4.x/V5.x (DFP)
 
(Windows XP)
- Release date: 11/27/2019 (FSM-XR4348)

 VL Infinix-i V4.x/V5.x (Angio Workstation)
 
(Windows XP)
- Release date: 11/27/2019 (FSM-XR4348)

 VL Alphenix  V8.x (Angio Workstation)
 
(Windows 7)
- Release date: 11/27/2019 (FSM-XR4348)

 MR MRT series
 
(Windows XP)
- Release date: 11/25/2019 (FSM-MR3570*A)

For inquiries concerning these subject products, please contact the nearest branch office, sales/service office.


Notes
It is known the followings as countermeasures for your network to reduce the possibility of security incident by this security vulnerability.

1) Control of communication protocol and communication port
TThe attack on the remote desktop service uses the following communication protocol and communication port. As one measure, it is valid to control not to allow those remote desktop service communication to our device. Alternatively, it is effective to change the communication port to something other than the default communication port.

Service Name
Protocol type and used port number
TermService
TCP 3389 port