Product Security Updates

We are aware of the recently disclosed PTC Axeda agent vulnerabilities (CVE-2022-25247, 25248, 25249, 25250, 25251).  We are actively monitoring this serious issue, and we are working to assess any products or services provided by Leica Microsystems that are either directly or indirectly affected by this vulnerability. 

At the current time, we have identified SPE, SP5, SP8 and SCN400 as potentially affected. Furthermore, this only affects instruments: 

• having currently any network connection, including restricted connections, and
• running pre-2021 version of Axeda RemoteCare.

This software is no longer being used by Leica Microsystems. LMS has retired the software on December 31, 2020.

There are several mitigation options:

• Contact your IT Department to restrict network access to the instrument, 
• Contact Leica Service to uninstall Axeda software from your instrument @ @iot@leicams.com
• For additional mitigation please visit: https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01

For more information, please review:

https://www.ptc.com/en/support/article/CS363561 
https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 . 

Also, we strongly encourage all customers to register their equipment to receive email notifications in the future.

The Apache Foundation has announced security vulnerabilities for Log4j (CVE-2021-44228, CVE-2019-17571). Log4j is widely used across multiple industries for logging PC applications.

Our image acquisition software LAS X is not affected by this thread. However, SP8 workstations from the HP Z840 series come with a pre-installation of the MegaRAID storage manager, a tool which depends on Log4j. The ability to exploit these Log4j vulnerabilities is limited to computers connected to an unprotected network. In a worst-case scenario, an attacker could cause a denial-of-service condition and attain remote code execution.

What can you do to ensure a secure operation of your SP8 confocal system?

MegaRAID storage manager is not essential for the proper functioning of your SP8 confocal system but rather “only” a convenience tool for monitoring the internal RAID controller. Accordingly, to protect your valuable image data and your system, you can simply deinstall the MegaRAID storage manager. To do so, follow the instructions. Please note that the vulnerability is independent of whether the imaging software is started or not, as the affected components are booted up with the operating system. When an updated, secure version of the MegaRAID storage manager becomes available from the 3rd-party vendor, we will inform you via the product security page.

We are aware of the recently disclosed Apache Log4j vulnerability (CVE-2021-44228).  

We are actively monitoring this serious issue, and we are working to assess any products or services provided by Leica Microsystems that are either directly or indirectly affected by this vulnerability.

At the current time, we are not aware of any Leica Microsystem products or services that contain this vulnerability.

As we continue to investigate this issue, if we determine that any products or services need mitigation for this vulnerability, then we will work to make such mitigations available as quickly as possible, and we will provide information here describing how these mitigations can be applied.

For more information, please review CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 and the Apache Log4j post https://logging.apache.org/log4j/2.x/index.html.

Vulnerabilities in third-party NVIDIA GPU driver (all versions prior to 461.09) affect certain product lines running on LAS X confocal and LAS X widefield

LAS X confocal and LAS X widefield do not only empower researchers to acquire high-quality data. They also provide state-of-the-art image processing tools, such as LIGHTNING and THUNDER. To guarantee seamless computation for these demanding workloads, LAS X confocal and LAS X widefield leverage powerful graphic cards (GPUs) from NVIDIA.

NVIDIA is continuously evaluating their product security. In this context, they have recently disclosed several vulnerabilities for their GPU drivers (all versions prior to 461.09), warranting timely action for affected workstations. Being offered with an NVIDIA GPU configuration, the following product lines are affected:

• Confocal:

• STELLARIS (all systems running on LAS X confocal <= 4.2.0)
• SP8 (certain systems running on LAS X confocal <= 3.5.7: depending on whether acquisition workstation has an NVIDIA GPU)
• Offline workstations (certain workstations running on LAS X confocal <= 3.5.7 or LAS X confocal <= 4.2.0: depending on whether offline workstation has an NVIDIA GPU)

• Widefield:

• THUNDER Imager (all systems running on LAS X widefield <= 3.7.4)
• All systems with a ‘LAS X Workstation’ or a ‘LAS X Core Workstation’ (running on LAS X widefield <= 3.7.4)

If you are unsure whether your acquisition or offline workstation features an NVIDIA GPU, please refer to the instructions [‘Check if the system is equipped with an NVIDIA graphics card’]. In case your workstation does not have an NVIDIA GPU, there is no need to take any action regarding these disclosed vulnerabilities.

In case your workstation has an NVIDIA GPU, the disclosed vulnerabilities are resolved by installing the patched NVIDIA drivers as described in the instructions. We strongly recommend to all affected LAS X users to follow this guide in order to address all known NVIDIA driver vulnerabilities.

This NVIDIA driver issue is resolved independently from LAS X, i.e., a LAS X patch release is not necessary. Naturally, upcoming LAS X releases for confocal and widefield systems will contain the updated driver by default [461.09 or later], rendering the described procedure for addressing these very vulnerabilities unnecessary.

Finally, we have performed software tests for LAS X 3.5.7 (SP8), LAS X 3.7.4 (widefield), and LAS X 4.2.0 (STELLARIS) to verify the compatibility of the updated NVIDIA driver [461.09] with our respective LAS X software versions.

NVIDIA Driver Update Instructions for LAS X Workstations