The DHS Cybersecurity and Infrastructure Security Agency has issued a warning of six critical-rated vulnerabilities in several GE medical monitoring devices.

Advisory ICSMA-20-023-01 covers the GE CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) and Clinical Information Center (CIC) systems, CARESCAPE B450, B650, B850 monitors. The vulnerabilities include unprotected storage of credentials, improper input validation, use of hard-coded credentials, missing authentication for critical function, unrestricted upload of file with dangerous type and inadequate encryption strength.

As of now GE said it was not aware of any reported incidences of a cyberattack in a clinical use or any reported injuries associated with any of these vulnerabilities.

The flaws are:

  • CVE-2020-6961, critical, a vulnerability that exists in the affected products that could allow an attacker to obtain access to the SSH private key in configuration files.;
  • CVE-2020-6962, critical, is an input validation vulnerability in the web-based system configuration utility that could allow an attacker to obtain arbitrary remote code execution;
  • CVE-2020-6963, critical, where the affected products utilize hard-coded SMB credentials, which may allow an attacker to remotely execute arbitrary code if exploited;
  • CVE-2020-6964, critical, where the integrated service for keyboard switching of the affected devices could allow attackers to obtain remote keyboard input access without authentication over the network;
  • CVE-2020-6965, critical, is a a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package;
  • CVE-2020-6966, critical, the affected products utilize a weak encryption scheme for remote desktop control, which may allow an attacker to obtain remote code execution of devices on the network.

GE is in the process of developing and releasing patches for these issues. In the meantime, the company recommends:

  • The MC and IX Networks are isolated and if connectivity is needed outside the MC and/or IX Networks, a router/firewall is used.
  • MC and IX Router/Firewall should be set up to block all incoming traffic initiated from outside the network, with exceptions for needed clinical data flows.
  • Restricted physical access to central stations, telemetry servers, and the MC and IX networks. Default passwords for Webmin should be changed as recommended.
  • Password management best practices are followed.
  • The best way to stamp out vulnerabilities is to find them as soon as possible by using a secure development life cycle (SDLC). At every stage of product development, vulnerabilities are identified and eradicated.

Even though there are upcoming patches and temporary workarounds Jonathan Knudsen, senior security strategist with Synopsys, noted such vulnerabilities should be discovered during the development phase and not after they have been released.

“In the design phase, this takes the form of using threat modeling and other techniques to identify design vulnerabilities and the security controls that are necessary to reduce the risk of the system,” he said.