Today the CISA NCCIC-ICS published a medical device security
advisory for products from GE.
GE Advisory
This advisory describes
six vulnerabilities in a number of GE Healthcare Monitoring platforms. The
vulnerabilities were
reported by Elad Luz of CyberMDX. GE has provided generic workarounds to
mitigate the vulnerabilities. There is no indication that Luz has been provided
an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
• Unprotected storage of
credentials - CVE-2020-6961;
• Improper input validation - CVE-2020-6962;
• Use of hard-coded credentials - CVE-2020-6963;
• Missing authentication for
critical function - CVE-2020-6964;
• Unrestricted upload of file with
dangerous type - CVE-2020-6965; and
• Inadequate encryption strength - CVE-2020-6966
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to obtain PHI
data, make changes at the operating system level of the device, with effects
such as rendering the device unusable, otherwise interfering with the function
of the device and/or making certain changes to alarm settings on connected
patient monitors, and/or utilizing services used for remote viewing and control
of devices on the network to access the clinical user interface and make
changes to device settings and alarm limits, which could result in missed or
unnecessary alarms or silencing of some alarms.
Posts
No comments:
Post a Comment