Patch Management

Critical vulnerabilities found in GE medical gear

January 24, 2020
  • CVE-2020-6961, critical, a vulnerability that exists in the affected products that could allow an attacker to obtain access to the SSH private key in configuration files.;
  • CVE-2020-6962, critical, is an input validation vulnerability in the web-based system configuration utility that could allow an attacker to obtain arbitrary remote code execution;
  • CVE-2020-6963, critical, where the affected products utilize hard-coded SMB credentials, which may allow an attacker to remotely execute arbitrary code if exploited;
  • CVE-2020-6964, critical, where the integrated service for keyboard switching of the affected devices could allow attackers to obtain remote keyboard input access without authentication over the network;
  • CVE-2020-6965, critical, is a a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package;
  • CVE-2020-6966, critical, the affected products utilize a weak encryption scheme for remote desktop control, which may allow an attacker to obtain remote code execution of devices on the network.
  • The MC and IX Networks are isolated and if connectivity is needed outside the MC and/or IX Networks, a router/firewall is used.
  • MC and IX Router/Firewall should be set up to block all incoming traffic initiated from outside the network, with exceptions for needed clinical data flows.
  • Restricted physical access to central stations, telemetry servers, and the MC and IX networks. Default passwords for Webmin should be changed as recommended.
  • Password management best practices are followed.
  • The best way to stamp out vulnerabilities is to find them as soon as possible by using a secure development life cycle (SDLC). At every stage of product development, vulnerabilities are identified and eradicated.
prestitial ad