Product security
Edwards Lifesciences Support of Vulnerability Disclosure
As software and technology continue to become more integrated in products, Edwards recognizes cybersecurity to be a critical element in reducing risk across the total product lifecycle. Cybersecurity threats are evolving, and they have the potential to not only impact the confidentiality, integrity, and availability of a product, but also its clinical effectiveness.
Edwards maintains a dedicated Product Security team to help evaluate and implement security controls, manage cybersecurity risk across our various product lines, and execute our cybersecurity post-market product surveillance and support program.
We recognize the value provided by patients, customers, and security researchers in helping manage cybersecurity risk and are willing to collaborate with those who work in good faith with Edwards.
Scope of Disclosure Program
The scope of the Edwards Coordinated Vulnerability Disclosure Program includes on-market Medical Device and Software as a Medical Device categories (including mobile and web medical applications). Non-medical devices including websites, mobile apps, infrastructure components, etc., are not in scope. Additionally, the submission of adverse events or product quality complaints is not in scope. Please follow the appropriate processes laid out by the individual product lines for reporting these.
As a part of our vulnerability disclosure program, Edwards will be using this page to post cybersecurity bulletins related to vulnerabilities and their impact to Edwards products. For any additional questions or comments related to product security at Edwards, please contact your service representative and/or the product security team directly.
How to Contact Edwards Product Security
Upon identifying a potential vulnerability in an Edwards product, please contact us via email as soon as possible utilizing PGP as outlined below:
- Key ID: 0x091BF988
- PGP Location: https://keyserver.pgp.com
- Email: product_security@edwards.com
In the email, please provide all relevant technical information regarding the vulnerability, including, but not limited to, steps which would need to be taken to replicate the potential issue, plans on public disclosure, and any awareness of active exploitation. Do not include any personally identifiable information (PII) or individually identifiable health information (IIHI) in the message.
Expectations of Researchers
For any research being conducted on Edwards products, we ask researchers to:
- Perform testing in a safe environment and manner
- Not test or alter a production device in any way
- Not use devices in production that have been altered
- Not weaponize the research, nor create an active exploit
- Not publicly disclose without prior engagement with Edwards
Expectations of Edwards
After submission of a potential vulnerability, Edwards will:
- Review all submitted information and acknowledge receipt within 10 business days
- Request additional information, if required, in order to enable a full review of the submission
- Initiate our internal Vulnerability Management & Incident Response processes, which may include:
- Internal replication of potential vulnerabilities
- Risk evaluation activities
- Mitigation/remediation planning and execution
- External communications efforts
- Work diligently in providing updates to the submitter, as necessary
Notice
In the case you decide to share any information with Edwards, you agree that the information you submit will be considered as non-proprietary and non-confidential, and that Edwards is allowed to use such information in any manner, in whole or in part, without any restriction.
Bulletins
12/04/2023
“BLUFFS” Cybersecurity Bulletin
High confidentiality and integrity impact cybersecurity vulnerability in Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 has been discovered by researchers at EURECOM. This vulnerability, referred to as “BLUFFS”, allows certain man-in-the-middle attacks, enabling attacker to impersonate authorized Bluetooth-connected devices or potentially read/change transmitted data or inject own code. The vulnerability was documented as CVE-2023-24023, and Common Vulnerability Scoring System (CVSS) v3 of 6.8 out of 10 has been assigned to it.
At this time, Edwards' on market devices are not impacted by the CVE-2023-24023 vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate.
Additional details on the vulnerability can be found on the below resources:
- National Vulnerability Database website NVD (National Vulnerability Database) - CVE-2023-24023 (nist.gov).
- Bluetooth SIG website Security Notice | Bluetooth® Technology Website.
- Eurecom Research Paper: BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses (acm.org)
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
12/16/2021
“Log4j” Cybersecurity Bulletin
High impact cybersecurity vulnerability in common logging tool Log4j was discovered by Alibaba Cloud’s security teams and reported on December 9th. This vulnerability, documented as CVE-2021-44228, can be utilized for remote code execution, non-authenticated, and allow an attacker to potentially compromise an entire system. Common Vulnerability Scoring System (CVSS) v3 of 10 out of 10 (Critical) was assigned to Log4j vulnerability.
At this time, Edwards' devices on market are not impacted by the Log4j vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
4/26/2021
“NAME: WRECK” Cybersecurity Bulletin
Multiple security vulnerabilities found in four common TCP/IP stacks—FreeBSD, IPnet, NetX, and Nucleus NET, implemented across various Operating Systems, were recently disclosed publicly, by security researchers from Forescout and JSOF. These vulnerabilities, referred to as “NAME: WRECK”, can be utilized for causing denial of service or remote code execution and allow an attacker to potentially compromise an entire system without user interaction. A Common Vulnerability Scoring System (CVSS) v3 score has been assigned within range 5.3 - 9.8 to set of nine WRECK vulnerabilities.
At this time, Edwards' devices on market are not impacted by the NAME: WRECK vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://us-cert.cisa.gov/ics/advisories/icsa-21-103-04.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
12/15/2020
“AMNESIA:33” Cybersecurity Bulletin
Multiple security vulnerabilities in several open-source TCP/IP stacks, implemented across various systems, were recently disclosed publicly by security researchers at Forescout Research Labs. These vulnerabilities, referred to as “AMNESIA:33”, can allow an attacker to remotely execute code and take full control of an affected device. Common Vulnerability Scoring System (CVSS) v3 scores ranging from 4.0 to 9.8 out of 10 were assigned to the AMNESIA:33 family of vulnerabilities.
At this time, Edwards' devices on market are not impacted by the AMNESIA:33 vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
11/2/2020
"Bad Neighbor" Cybersecurity Bulletin
A remote code execution vulnerability has been disclosed by Microsoft that affects multiple versions of the Windows 10 and Windows Server operating systems. This vulnerability, referred to as “Bad Neighbor”, resides in the way Windows handles ICMPv6 Router Advertisement packets, and it could allow a remote attacker to execute code on an affected system. A Common Vulnerability Scoring System (CVSS) v3 score of 8.8 out of 10 has been assigned to this vulnerability.
At this time, Edwards' devices on market are not impacted by the Bad Neighbor vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the Microsoft security advisory page for this vulnerability – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16898.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
8/12/2020
"BootHole" Cybersecurity Bulletin
A vulnerability in the GRUB2 bootloader has been recently disclosed publicly by security researchers at Eclypsium. This vulnerability, referred to as “BootHole”, can be used by an authenticated, local attacker to execute arbitrary code during the boot process, bypass Secure Boot protections, and ultimately take full control over the system. A Common Vulnerability Scoring System (CVSS) v3 score of 8.2 out of 10 has been assigned to this vulnerability.
At this time, Edwards' devices on market are not impacted by the BootHole vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the CERT Coordination Center’s website – https://www.kb.cert.org/vuls/id/174059.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
6/26/2020
"Ripple20" Cybersecurity Bulletin
Multiple security vulnerabilities in the Treck TCP/IP Stack, implemented across various systems, were recently disclosed publicly by security researchers at JSOF. These vulnerabilities, referred to as “Ripple20”, can be utilized for remote code execution and allow an attacker to potentially compromise an entire system without user interaction. Common Vulnerability Scoring System (CVSS) v3 scores ranging from 4.3 to 10 out of 10 were assigned to the Ripple20 family of vulnerabilities.
At this time, Edwards' devices on market are not impacted by the Ripple20 vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.us-cert.gov/ics/advisories/icsa-20-168-01.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
4/7/2020
Windows CryptoAPI Cybersecurity Bulletin
A spoofing vulnerability has been discovered and disclosed by the National Security Agency (NSA) in versions of the Windows 10 and Windows Server 2016/2019 operating systems. This vulnerability resides in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, and it can allow an attacker to appear as a legitimately trusted entity and can enable remote code execution. A Common Vulnerability Scoring System (CVSS) v3 score of 8.1 out of 10 has been assigned to this vulnerability.
At this time, Edwards' devices on market are not impacted by the Windows CryptoAPI vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the Microsoft security advisory page for this vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
3/9/2020
“SweynTooth” Cybersecurity Bulletin
Multiple security vulnerabilities in Bluetooth Low Energy (BLE) discovered across software development kits (SDK) of seven major system-on-chip (SoC) vendors were recently disclosed by a research group from Singapore University of Technology and Design (Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang). These vulnerabilities, referred to as "SweynTooth", expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security. Common Vulnerability Scoring System (CVSS) v3 scores ranging from 5.7 to 8.8 out of 10 were assigned to the SweynTooth family of vulnerabilities.
At this time, Edwards' devices on market are not impacted by the SweynTooth family of vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.
9/18/2019
“Urgent/11” Cybersecurity Bulletin
Multiple security vulnerabilities in the IPnet TCP/IP Stack, implemented across various operating systems were recently disclosed publicly by security researchers at Armis. These vulnerabilities, referred to as “Urgent/11”, can be utilized for remote code execution and allow an attacker to potentially compromise an entire system without user interaction. A Common Vulnerability Scoring System (CVSS) v3 score of 9.8 out of 10 has been assigned to Urgent/11.
At this time, Edwards' devices on market are not impacted by the Urgent/11 vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.us-cert.gov/ics/advisories/icsma-19-274-01.
For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.