CVE-2020-6961, critical, a
vulnerability that exists in the affected products that could allow an attacker
to obtain access to the SSH private key in configuration files.;
CVE-2020-6962, critical, is an input
validation vulnerability in the web-based system configuration utility that
could allow an attacker to obtain arbitrary remote code execution;
CVE-2020-6963, critical, where the
affected products utilize hard-coded SMB credentials, which may allow an
attacker to remotely execute arbitrary code if exploited;
CVE-2020-6964, critical, where the
integrated service for keyboard switching of the affected devices could allow attackers
to obtain remote keyboard input access without authentication over the network;
CVE-2020-6965, critical, is a a
vulnerability in the software update mechanism allows an authenticated attacker
to upload arbitrary files on the system through a crafted update package;
CVE-2020-6966, critical, the affected
products utilize a weak encryption scheme for remote desktop control, which may
allow an attacker to obtain remote code execution of devices on the network.
The MC and IX Networks are isolated
and if connectivity is needed outside the MC and/or IX Networks, a router/firewall
MC and IX Router/Firewall should be
set up to block all incoming traffic initiated from outside the network, with
exceptions for needed clinical data flows.
Restricted physical access to central
stations, telemetry servers, and the MC and IX networks. Default passwords for
Webmin should be changed as recommended.
Password management best practices
The best way to stamp out
vulnerabilities is to find them as soon as possible by using a secure
development life cycle (SDLC). At every stage of product development,
vulnerabilities are identified and eradicated.