The DHS Cybersecurity and Infrastructure Security Agency has issued a warning of six critical-rated vulnerabilities in several GE medical monitoring devices.
Advisory ICSMA-20-023-01 covers the GE CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) and Clinical Information Center (CIC) systems, CARESCAPE B450, B650, B850 monitors. The vulnerabilities include unprotected storage of credentials, improper input validation, use of hard-coded credentials, missing authentication for critical function, unrestricted upload of file with dangerous type and inadequate encryption strength.
As of now GE said it was not aware of any reported incidences of a cyberattack in a clinical use or any reported injuries associated with any of these vulnerabilities.
The flaws
are:
- CVE-2020-6961, critical, a
vulnerability that exists in the affected products that could allow an attacker
to obtain access to the SSH private key in configuration files.; - CVE-2020-6962, critical, is an input
validation vulnerability in the web-based system configuration utility that
could allow an attacker to obtain arbitrary remote code execution; - CVE-2020-6963, critical, where the
affected products utilize hard-coded SMB credentials, which may allow an
attacker to remotely execute arbitrary code if exploited; - CVE-2020-6964, critical, where the
integrated service for keyboard switching of the affected devices could allow attackers
to obtain remote keyboard input access without authentication over the network; - CVE-2020-6965, critical, is a a
vulnerability in the software update mechanism allows an authenticated attacker
to upload arbitrary files on the system through a crafted update package; - CVE-2020-6966, critical, the affected
products utilize a weak encryption scheme for remote desktop control, which may
allow an attacker to obtain remote code execution of devices on the network.
GE is in the
process of developing and releasing patches for these issues. In the meantime,
the company recommends:
- The MC and IX Networks are isolated
and if connectivity is needed outside the MC and/or IX Networks, a router/firewall
is used. - MC and IX Router/Firewall should be
set up to block all incoming traffic initiated from outside the network, with
exceptions for needed clinical data flows. - Restricted physical access to central
stations, telemetry servers, and the MC and IX networks. Default passwords for
Webmin should be changed as recommended. - Password management best practices
are followed. - The best way to stamp out
vulnerabilities is to find them as soon as possible by using a secure
development life cycle (SDLC). At every stage of product development,
vulnerabilities are identified and eradicated.
Even though
there are upcoming patches and temporary workarounds Jonathan Knudsen, senior
security strategist with Synopsys, noted such vulnerabilities should be
discovered during the development phase and not after they have been released.
“In the
design phase, this takes the form of using threat modeling and other techniques
to identify design vulnerabilities and the security controls that are necessary
to reduce the risk of the system,” he said.
