Network Security Vulnerability in LMS Imaging Products
Product Line: LBS Imaging Solutions
Affected Products: Certain versions of Aperio VERSA, and LBS CytoVision
Date: 15-Oct-2020
Audience: North America, EMEA, APAC
A vulnerability exists in LMS Image Acquisition Software that poses a threat to network security and is associated with CytoVision and Aperio VERSA customer implementations
Leica Microsystems (LMS), a supplier of microscopy components for Aperio VERSA and LBS CytoVision has informed Leica Biosystems (LBS) that there is a potential cyber security vulnerability introduced by a third-party software (WIBU Systems’ CodeMeter) embedded into their image acquisition software, LAS X. LMS has delivered a Product Security Notice to their customers. As a result, LBS is informing you that as LAS X is utilized for Aperio Versa (v.1.0.4) and LBS CytoVision (v7.6 and v7.7) scanning configurations, your system may need attention. It has been determined that these products are only impacted if the customer implementation:
- Is internet-connected and
- has the LAS X version of microscope imaging software installed.
Note: All other Aperio scanners and software are unaffected as they do not use the LAS X software
Is your system affected?
The following serial numbers were manufactured with LAS X installed and would be affected if they are internet connected:
- Aperio VERSA: 500152 - 500257
- LBS CytoVision: 202496 - 203358
Additionally, it may be possible that a system was upgraded from LAS to LAS X during a post manufacturing activity. You can confirm whether LAS X is on your system by simply opening the Windows “search” function and searching for “LAS X”. If LAS X is present, it will be identified in the search results.
Note: Only “LAS X” version is affected. “LAS” version is not affected.
LBS has already implemented countermeasures to ensure any new shipments of CytoVision and Aperio VERSA do not include the vulnerability described in this notice.
Impact to system use and function
LAS X is a third-party software installed on CytoVision and Aperio VERSA computer systems in order to initially configure the microscope hardware. After the initial configuration, both CytoVision and Aperio VERSA function completely independent of the LAS X software and do not interact or utilize LAS X further. Therefore, changes to the LAS X software will not impact the use and function of either CytoVision or Aperio VERSA systems.
Recommendations for affected systems
As Leica Biosystems is steadfastly committed to the safety and security of our customers, we are sharing this information and providing the following recommendations to ensure the continued safe operation of CytoVision and Aperio VERSA computer systems.
If you’ve determined that your system meets each of the above criteria, any one of the following mitigations must be implemented to permanently remove the threat:
- Block TCP port 22350 on the organization broad firewall.
- Uninstall CodeMeter from the Windows system.
As CytoVision and Aperio VERSA do not use TCP port 22350 or the CodeMeter software associated with this threat, either course of mitigation should be permanent.
More information
For more details please refer to:
CISA Industrial Control Systems Advisory ICSA-20-203-01