Security Information Glaucoma Workplace 3.5.2
Description
A downgrade attack is a cyberattack in which malicious actors force Glaucoma Workplace version 3.5.2 to use an older, less secure method of communication. This is done by intercepting and modifying the communication between ZEISS Glaucoma Workplace Server and other network entities incl. the FORUM Viewer with the Glaucoma Workplace Client.
This issue is solely related to cybersecurity and does not compromise the health and safety of the patient. It also has no impact on the safety and performance of ZEISS Glaucoma Workplace.
Conditions
A downgrade attack as described above is possible only if
- an attacker with network access is able to set up an intercepting entity
Affected versions
The vulnerability affects the following GWP versions:
- Glaucoma Workplace 3.5.2
Recommended actions
1. Close the vulnerability by a software update
ZEISS recommends updating your Glaucoma Workplace to version 3.6.0 to ensure continued cybersecurity. A software version labeled Glaucoma Workplace 3.6.0 is available for installation. This version closes the described vulnerability. Please reach out to your local ZEISS Service team for additional information on updating your ZEISS Glaucoma Workplace software.
2. Close the vulnerability by configuration
If a software update of the Glaucoma Workplace version is not an option, there is also the possibility to update the configuration of the Glaucoma Workplace version 3.5.2. Please reach out to your local ZEISS Service team for additional information on the required configuration changes to your ZEISS Glaucoma Workplace software.