Overview:
Hologic is actively investigating recent Libwebp vulnerability CVE-2023-4863 and has determined, at this time, low risk of impact for our devices when used as intended for designed medical workflow. Our medical software does not encode or decode images in the WebP format. We do, however, include third-party software that has been found to include the impacted component, as described below. We will update this advisory as required.
Background:
Libwebp is an open-source package created to support encoding and decoding the WebP image format. Libwebp version 1.3.2 and lower are impacted by this vulnerability with remote code execution potential and known active exploitation. It is rated as an 8.8 High CVSS 3.x severity in the National Vulnerability Database (NVD). The Libwebp package is used in many popular applications, as well as the popular Electron app framework. The most impactful software where this component has been identified is many popular web browsers - Google Chrome, Microsoft Edge, and Mozilla Firefox. Internet Explorer does not appear to be impacted.
Impact Details:
No impact has been found to Hologic developed medical device software at this time. As stated above, products are not performing processing of Webp images. However, many of our Breast & Skeletal Health products leverage the Google Chrome web browser for registration of our remote servicing software, Unifi Connect. The installation of Chrome defaults to automatic updates. If the network is configured to allow these updates, it should be automatically updated to address the vulnerability. Furthermore, general web browsing is not recommended or supported in the intended use design, making risk of impact here low.
The vulnerable Libwebp library has also been found in the Operating System of the SecurXChange Router product. The product leverages Ubuntu and an update for the package is already available, as described in their security advisory USN-6369-2, linked below.
Recommendations:
Hologic recommends that customers check product devices for the presence of Google Chrome and, if installed, ensure update of the browser has been performed. If it has not, force the update manually. To resolve this vulnerability, Google Chrome must be v116.0.5845.187 or higher.
For SecurXChange product systems at v4.1.x or higher, perform the following steps to update the Operating System:
- Log into SecurXchange web applicate as an admin user.
- Navigate to Administration -> System -> Software Updates.
- Click "Download Updates..." button.
- At the prompt, select "Security Updates" and click OK.
- Once download completes, click "Install Updates".
- At the prompt, select "Install Now" and click OK.
- Wait for the installation to complete and for the web application to restart.
For SecurXChange product systems at versions lower than 4.1.x, system should be upgraded for continued security patch support.
Resources:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog (search for CVE-2023-4863)
https://ubuntu.com/security/notices/USN-6369-2
