R-TF-030-004 Cyber Security Risk Matrix
Risk Matrix
| Risk ID | Threat ID (MITRE) | Device Property ID | Device Property Description | Threat Name | Component Name | Threat Description | CVEs | CWE | Mitigating Factors | Initial CVSS (Base) | Residual CVSS (Base) | Acceptable | Transfer to Safety Risks | Relevant for Safety (Justification) | Safety Risk IDs |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R-C67 | TID-207 | PD-243 | Device includes containers | Container Escape | Medical Device | Container environments, such as Docker and Kubernetes, share the same underlying kernel as the host operating system. Therefore, a container escape vulnerability allows an attacker to run unauthorized code outside the isolated container. Exploiting container vulnerabilities could lead to incorrect configuration, resource exhaustion, and allow one container to interfere with or compromise the other containers hosted on that device. | CVE-2020-2556. CVE-2022-0815 | CWE-693 | NIST 800-190: Segmentation Through Microservices-based SLA Mitigation (Doc: Intermediate) | 8.6 | 2.1 | YES | |||
| R-E6S | TID-301 | PID-31 | Application-level software is present and running on the device | Application Binaries Modified | Medical Device | A threat actor could modify application-level libraries or binaries on the device, resulting in the execution of malicious code or evasion of detection. This could also include the modification of libraries used to structure the execution environment or system functions. | CWE-862 | Leading: MID-003 - Periodic/Continuous Integrity Measurement and Remote Attestation. Intermediate: MID-002 - Hardware-backed Bootloader Authentication. Intermediate: MID-009 - Operating System-based Runtime Integrity Check. Foundational: MID-001 - Software Only Bootloader Authentication | 9.4 | 2.1 | YES | ||||
| R-8K2 | TID-319 | PID-311 | Device includes the usage of a web/HTTP applications | Cross Site Scripting (XSS) | Web API Gateway | The device does not properly restrict, filter, or validate the content of web-based requests or outputs, especially content used to construct HTTP or JavaScript elements within a web page. A threat actor can add malicious JavaScript to an HTTP request, including through a GET/POST parameter or HTTP header fields, which then executes on the browser of an unsuspecting user. The malicious JavaScript can then be used to steal session tokens or send malicious requests (especially leveraging XMLHttpRequest) to change device configurations or data. | CVE-2018-14784. CVE-2014-2246 | CWE-79 | Foundational: MID-071 - Sanitized and Escaped User Data for Web Applications | 5.1 | 2.1 | YES | |||
| R-9P7 | TID-320 | PID-311 | Device includes the usage of a web/HTTP applications | SQL injection | Web API Gateway | The device does not property restrict, filter, or validate the content of user-provided input in SQL queries. A threat actor may insert malicious SQL code into input fields that interact with the database, allowing them to manipulate or extract sensitive data within the database. | CVE-2014-2351. CVE-2016-5817 | CWE-89 | Foundational: MID-072 - Parameterized SQL Queries | 9.3 | 6.3 | NO | |||
| R-L4M | TID-321 | PID-311 | Device includes the usage of a web/HTTP applications | HTTP Application Session Hijacking | Web API Gateway | A threat actor can hijack an insufficiently protected HTTP session token to gain unauthorized access to a device. HTTP session tokens can be obtained by a threat actor if they’re sent unencrypted over the network or if the site is vulnerable to cross-site scripting (XSS). | CVE-2022-43398. CVE-2020-25198 | CWE-384 | Foundational: MID-035 - Encrypt Network Traffic. Foundational: MID-073 - Secure HTTP Session Management | 9.3 | 6.3 | YES | |||
| R-W3N | TID-323 | PID-311 | Device includes the usage of a web/HTTP applications | HTTP Path Traversal | Web API Gateway | A threat actor can send requests for files or content that resides in different directories from those intended to be accessible by the web server. This can be used to gain access to data that is not intended to be remotely accessible through the web servers, such as files from the operating system or other applications. This threat is primarily a result of the web server having excessive privileges regarding files and directories on the device. | CVE-2018-13379. CVE-2023-39810. CVE-2015-3939. CVE-2015-0984 | CWE-22 | Foundational: MID-075 - Path Traversal Protections | 8.8 | 6.9 | YES | |||
| R-Q5T | TID-324 | PID-311 | Device includes the usage of a web/HTTP applications | HTTP Direct Object Reference | Web API Gateway | If a device does not properly authenticate all HTTP requests, a threat actor can directly send a request to a specific URL to access data or initiate a device function. This could be used to access/download sensitive data or perform unwanted changes to settings or functions on a device. This typically requires that the threat actor directly knows the URL of the specific file/object/page, rather than depending on the existing links provided by the web application. This is especially problematic for files hosted on a web server (e.g., txt, pdf) since the authentication mechanisms provided by the web application framework may not enforce access controls on those files. | CVE-2023-38257 | CWE-639 | Foundational: MID-076 - Web Direct Object Reference Authentication | 8.8 | 6.9 | YES | |||
| R-H7V | TID-325 | PID-311 | Device includes the usage of a web/HTTP applications | HTTP Injection/Response Splitting | Web API Gateway | The device uses HTTP headers that are unencrypted, not validated, and/or unauthenticated. This means that the device may accept and process arbitrary data coming to the receiving web server over the network. Threat actors may therefore be able to inject their own information into the header, possibly using their input to get more information than they should have access to or exploiting a vulnerability on the receiving device. | CVE-2012-0310 | CWE-113 | Foundational: MID-078 - HTTP Request/Response Validation | 8.8 | 6.9 | YES | |||
| R-X2B | TID-326 | PID-3121 | Device includes support for object oriented programming languages (e.g., Java, Python, PHP, C++) | Insecure Deserialization | Medical Device | Many object oriented languages use serialization to convert class objects into byte strings for more efficient storage or transmission. However, if an untrusted byte string is deserialized without properly validating its contents, it could be used to exploit a vulnerability in the associated library. A threat actor could send a maliciously crafted serialized object to a device to exploit a deserialization vulnerability within a device. | CVE-2022-1118. CVE-2023-31222. CVE-2021-4104 | CWE-502 | MID-088 - Formally Verified Parsers. MID-089 - Formal Methods Verification of Critical Functionality Implementation. MID-077 - Secure Deserialization | 9.3 | 6.3 | YES | |||
| R-F8Z | TID-311 | PID-332 | Device includes authenticated services | Default Credentials | Medical Device | Devices often include default credentials from the vendor. Default credentials can be changed, but are often overlooked when devices are commissioned. If left unchanged, a threat actor may discover and use these credentials to gain unauthorized access to the device. Non-unique or predictable default credentials can lead to device compromise. | CVE-2022-29962. CVE-2021-22681 | CWE-1392. CWE-1393 | Foundational: MID-043 - Manage Default Login Credentials | 9.3 | 6.3 | YES (CVSS < 7.0 is acceptable) | |||
| R-D1Y | TID-312 | PID-332 | Device includes authenticated services | Credential Change Mechanism Can Be Abused | Medical Device | A device’s credential change mechanisms can be abused to lock out users from their own devices by changing credentials to something unknown to the legitimate user. This could impair the legitimate user from accessing the device and may also render the device permanently inoperable. This could also be coupled with unwanted device configuration changes before the user is locked out. | CVE-2019-6527 | CWE-645 | Foundational: MID-038 - Authenticate for Administrative Actions | 7.2 | 5.9 | YES | |||
| R-N6A | TID-313 | PID-332 | Device includes authenticated services | Unauthenticated Session Changes Credential | Medical Device | A threat actor can change or reset a password or credential without being authenticated. This can be used by a threat actor to set the credential to a known value and then use this to authenticate to the device. | CVE-2019-6527 | CWE-287 | Foundational: MID-038 - Authenticate for Administrative Actions | 9.3 | 2.1 | YES | |||
| R-J9C | TID-328 | PID-332 | Device includes authenticated services | Hardcoded Credentials | Medical Device | Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together, but can be abused when discovered. | CVE-2020-29583. CVE-2024-57811. CVE-2024-28747 | CWE-798 | Foundational: MID-043 - Manage Default Login Credentials | 9.3 | 1 | YES | |||
| R-K4U | TID-316 | PID-3322. PID-4113 | Device includes cryptographic mechanism to authenticate users and sessions. Device includes cryptographic functions for sensitive data, such as encryption or authentication | Incorrect Certificate Verification Allows Authentication Bypass | Medical Device | Certificate-based authentication depends on the correct parsing and validation of an X.509 certificate. However, if the certificate is not properly parsed and all fields are not validated, a threat actor could potentially bypass authentication using a fraudulent certificate. | CVE-2017-2800. CVE-2014-0092 | CWE-295 | Foundational: MID-027 - Validated Cryptographic Libraries | 9.3 | 6.3 | YES | |||
| R-M7G | TID-317 | PID-3322. PID-4113 | Device includes cryptographic mechanism to authenticate users and sessions. Device includes cryptographic functions for sensitive data, such as encryption or authentication | Predictable Cryptographic Key | Medical Device | If the device does not generate sufficiently random cryptographic primitives, a threat actor could predict or brute-force guess a key to gain unauthorized access or decrypt a connection. Keys generated without sufficiently random seed information, including poor PRNGs, lack entropy. Researchers have shown that many Internet-exposed devices with TLS or SSH services used identical RSA moduli, enabling derivation of their private keys and remote authentication. | CVE-2022-43485. CVE-2012-4898 | CWE-331. CWE-338 | Intermediate: MID-033 - Unique Factory Preinstalled Secret Keys. Intermediate: MID-048 - Hardware Random Number Generator. Intermediate: MID-060 - Dedicated Hardware Cryptographic Modules. Foundational: MID-047 - Sufficient Entropy for Keys | 9.3 | 6.3 | YES | |||
| R-P3S | TID-318 | PID-3322. PID-4113 | Device includes cryptographic mechanism to authenticate users and sessions. Device includes cryptographic functions for sensitive data, such as encryption or authentication | Insecure Cryptographic Implementation | Medical Device | The device uses a cryptographic library or implementation that introduces additional vulnerabilities. A threat actor may exploit these weaknesses to gain unauthorized access or bypass protections provided by the cryptographic protocol. | CVE-2014-0160. CVE-2014-0092 | CWE-1240 | MID-060 - Dedicated Hardware Cryptographic Modules. Foundational: MID-027 - Validated Cryptographic Libraries | 9.3 | 6.3 | YES | |||
| R-V5R | TID-330 | PID-272. PID-3322 | Device includes cryptographic firmware/software integrity protection mechanisms. Device includes cryptographic mechanism to authenticate users and sessions | Cryptographic Timing Side-Channel | Medical Device | Algorithms or code implementations of cryptographic processes will sometimes leak information by ending operations early or late based on, and correlated with, the input/key. If a threat actor is able to execute code on a processor performing a cryptographic operation, they may be able to infer the resulting key from that operation by measuring the timing it takes to perform the various functions. For example, if a function like memcpy (which performs byte-by byte comparison) is used to check an HMAC value, by measuring the time it takes for the function to execute, the length of time needed to brute force guess a key can be significantly reduced. | CVE-2024-13176 | CWE-208. CWE-1254 | Foundational: MID-027 - Validated Cryptographic Libraries. Foundational: MID-044 - Strong Cryptographic Algorithms and Protocols | 5.7 | 2 | YES | |||
| R-A8E | TID-411 | PID-3322. PID-4113 | Device includes cryptographic mechanism to authenticate users and sessions. Device includes cryptographic functions for sensitive data, such as encryption or authentication | Weak/Insecure Cryptographic Protocol | Medical Device | The device utilizes a weak or insecure cryptographic protocol or algorithm that can be broken or undermined. This could allow the threat actor to extract plaintext information from encrypted communications, extract cryptographic keys, or bypass authentication mechanisms. A threat actor can utilize various techniques to manipulate these protocols, including brute-force guessing of keys or using cryptanalysis to decipher the text. | CVE-2022-30273. CVE-2022-29955. CVE-2022-29960 | CWE-327 | Intermediate: MID-082 - Post-quantum Cryptography. Foundational: MID-044 - Strong Cryptographic Algorithms and Protocols | 9.3 | 6.3 | YES | |||
| R-T2W | TID-310 | PID-41. PID-331 | Device exposes remote network services. Device includes unauthenticated services | Remotely Accessible Unauthenticated Services | Medical Device | If an application does not authenticate all remote connections, a threat actor can establish access to the device to obtain confidential data or make unauthorized changes to status or configuration. | CWE-285 | Foundational: MID-034 - Authenticate Network Messages | 9.3 | 6.3 | YES | ||||
| R-Z6L | TID-401 | PID-41 | Device exposes remote network services | Undocumented Protocol Features | Medical Device | Some devices may support proprietary protocols or add proprietary extensions to open protocols. Undocumented functions or commands prevent users from disabling unwanted capabilities and hinder their ability to detect malicious use of those hidden functions. | CVE-2013-2802. CVE-2021-22779 | CWE-1371. CWE-912. CWE-1059 | Foundational: MID-079 - Remove Undocumented Network Functionality | 8.7 | 5.3 | YES | |||
| R-B4Q | TID-404 | PID-41 | Device exposes remote network services | Remotely Triggerable Deadlock/DoS | Medical Device | Some devices enter inoperable states due to specific modes, parsing bugs, or protocol vulnerabilities. A threat actor may send crafted messages that push the device into deadlock or unresponsiveness, degrading functionality or making the device unavailable until manually reset. | CVE-2015-5374 | CWE-833 | MID-088 - Formally Verified Parsers. MID-089 - Formal Methods Verification of Critical Functionality Implementation. Intermediate: MID-008 - Decidable Protocols and Parsers. Foundational: MID-032 - System Service Availability Manager | 8.7 | 6.3 | YES | |||
| R-Y1H | TID-405 | PID-41 | Device exposes remote network services | Network Stack Resource Exhaustion | Medical Device | Remote connections may consume device resources such as buffers, packet-processing capacity, or socket availability. A threat actor can intentionally exhaust these resources by sending repetitive or specially crafted traffic, causing the device to become unresponsive. The unresponsive state may persist until the attack stops or the device is manually reset. | CVE-2020-3566 | CWE-400. CWE-410 | MID-088 - Formally Verified Parsers. MID-089 - Formal Methods Verification of Critical Functionality Implementation. Intermediate: MID-008 - Decidable Protocols and Parsers. Foundational: MID-080 - Network Request Processing Limits. Foundational: MID-032 - System Service Availability Manager | 8.7 | 6.3 | YES | |||
| R-G3X | TID-407 | PID-41 | Device exposes remote network services | Missing Message Replay Protection | Medical Device | A threat actor may replay messages to trigger unwanted functions, send unauthorized commands, or access privileged data. Replay attacks exploit missing or poorly designed authentication protections such as nonces or timestamps. | CVE-2017-6034. CVE-2013-2820 | CWE-294 | Foundational: MID-036 - Cryptographic Nonces. Foundational: MID-037 - Network Timestamps | 9.3 | 6.3 | YES | |||
| R-S9D | TID-221 | PID-4113 | Device includes cryptographic functions for sensitive data, such as encryption or authentication | Authentication Bypass By Message Replay | Medical Device | Some devices will allow for authentication over the network, but do not implement mechanisms (i.e. nonces, timestamps) to ensure that messages containing credentials cannot be reused. Devices like these are potentially vulnerable to replay attacks. In these attacks, threat actors may be able to take legitimate packets that were sent over the network, capture them, and send them again to the device. If the device accepts these packets, threat actors may be able to initiate unauthorized actions. Additionally, if threat actors are able to edit the contents of those packets, they can potentially control the device remotely. | CWE-294 | Foundational: MID-036 - Cryptographic Nonces. Foundational: MID-037 - Network Timestamps | 9.3 | 6.3 | YES | ||||
| R-U7K | TID-410 | PID-4113 | Device includes cryptographic functions for sensitive data, such as encryption or authentication | Cryptographic Protocol Side Channel | Medical Device | Even when data is encrypted, a threat actor may infer sensitive information by analyzing metadata or side-channel patterns such as message sizes, timing, sequences, or frequency, potentially revealing plaintext characteristics. | CWE-1230. CWE-15 | Foundational: MID-044 - Strong Cryptographic Algorithms and Protocols. Foundational: MID-018 - Require Authentication for Privileged Functions. Foundational: MID-031 - Physical Presence Validation. Foundational: MID-038 - Authenticate for Administrative Actions. Foundational: MID-083 - Network Firewall/Access Control List | 8.2 | 6.3 | YES | ||||
| R-C2F | TID-412 | PID-42 | Device includes procedure to forward or route network messages | Network Routing Capability Abuse | Medical Device | Some devices will allow for the forwarding of packets to other connected devices (e.g., routing, port forwarding, tunneling, VPN). If the device is used to forward or route communications, a threat actor could change the forwarding rules or routes. This feature could be used by the threat actor to either (i) disable required forwarding rules to prevent authorized communications or (ii) add new rules that allow unauthorized access to other devices. The threat actor could potentially use this to gain access to devices that are within protected networks or zones. | CWE-306 | Foundational: MID-017 - Security-relevant Auditing and Logging | 8.6 | 1.8 | YES | ||||
| R-I6N | n/a | n/a | n/a | Spoofing the External Entity | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | The external entity may be spoofed by an attacker and this may lead to unauthorized access to the device. Consider using a standard authentication mechanism to identify the external entity. | Secure login by user and password. Authentication by JWT (securely sent and managed) | 6.9 | 6.3 | YES | |||||
| R-O4P | n/a | n/a | n/a | Spoofing the Medical Device | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | The device may be spoofed by an attacker and this may lead to information disclosure or unauthorized access to the device. Consider using a tandard authentication mechanism to identify each part of the communication. | Secure login by user and password. Authentication by JWT (securely sent and managed) | 6.9 | 6.3 | YES | |||||
| R-E1R | n/a | n/a | n/a | Potential Data Repudiation by Traefik Proxy | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | The device/external entity claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. | Include information about the communications within the audit logs | 6.9 | 2.1 | YES | |||||
| R-W8J | n/a | n/a | n/a | Data Flow through HTTPS (TLS 1.3) Is Potentially Interrupted | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | An external agent interrupts data flowing between the external entity and the device in either direction. | MID-032 - System Service Availability Manager | 8.7 | 6.3 | YES | |||||
| R-L5V | n/a | n/a | n/a | The AWS Data Store Services Could Be Corrupted | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | Data flowing across HTTPS (TLS 1.3) may be tampered with by an attacker. This may lead to corruption of data. Ensure the integrity of the data flow. | Use TLS 1.3 to ensure integrity of data in transit | 5.3 | 2.3 | YES | |||||
| R-X9A | n/a | n/a | n/a | Data in Transit Not Encrypted | User - Traefik Proxy; Let's Encrypt - Traefik Proxy; AWS Services - Web API Gateway | Data flowing across HTTPS (TLS 1.3) may be disclosed by an attacker if it is not encrypted. This may lead to sensitive information disclosure. Ensure the confidentiality of the data flow. | Use TLS 1.3 to ensure confidentiality of data in transit | 5.3 | 2.3 | YES |
CVSS scores summary
CVSS scores before additional mitigations (without security controls)
| Overall CVSS Score | Rating | Acceptability | Number of Items |
|---|---|---|---|
| 0 | None | Broadly Acceptable - No further Action Required | 0 |
| 0.1 - 3.9 | Low | Broadly Acceptable - No further Action Required | 0 |
| 4.0 - 6.9 | Medium | Acceptable - Evaluate for further Risk Reduction | 7 |
| 7.0 - 8.9 | High | Unacceptable - Risk Reduction Required | 11 |
| 9.0 - 10.0 | Critical | Unacceptable - Risk Reduction Required | 14 |
| Total | 32 |
CVSS scores after additional mitigations (with security controls)
| Overall CVSS Score | Rating | Acceptability | Number of Items |
|---|---|---|---|
| 0 | None | Broadly Acceptable - No further Action Required | 0 |
| 0.1 - 3.9 | Low | Broadly Acceptable - No further Action Required | 10 |
| 4.0 - 6.9 | Medium | Acceptable - Evaluate for further Risk Reduction | 22 |
| 7.0 - 8.9 | High | Unacceptable - Risk Reduction Required | 0 |
| 9.0 - 10.0 | Critical | Unacceptable - Risk Reduction Required | 0 |
| Total | 32 |
Overall Security Risk Evaluation Summary
For vulnerabilities with a score below 6.0, no further analysis or additional security controls were implemented.
There are no unacceptable residual risks.
Security Risk-Benefit Analysis
This Security Risk-Benefit Analysis (SRBA) covers the cybersecurity assessment of the Legit Health, version 1.0, within its intended operational environment. The purpose is to evaluate whether the identified cybersecurity risks are acceptable in relation to the expected benefits.
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001