Thursday, January 23, 2020

1 Advisory Published – 1-23-20


Today the CISA NCCIC-ICS published a medical device security advisory for products from GE.

GE Advisory


This advisory describes six vulnerabilities in a number of GE Healthcare Monitoring platforms. The vulnerabilities were reported by Elad Luz of CyberMDX. GE has provided generic workarounds to mitigate the vulnerabilities. There is no indication that Luz has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Unprotected storage of credentials - CVE-2020-6961;
• Improper input validation - CVE-2020-6962;
• Use of hard-coded credentials - CVE-2020-6963;
• Missing authentication for critical function - CVE-2020-6964;
• Unrestricted upload of file with dangerous type - CVE-2020-6965; and
• Inadequate encryption strength - CVE-2020-6966

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain PHI data, make changes at the operating system level of the device, with effects such as rendering the device unusable, otherwise interfering with the function of the device and/or making certain changes to alarm settings on connected patient monitors, and/or utilizing services used for remote viewing and control of devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.

No comments:

 
/* Use this with templates/template-twocol.html */