The DHS Cybersecurity and Infrastructure Security Agency has issued a warning of six critical-rated vulnerabilities in several GE medical monitoring devices.

Advisory ICSMA-20-023-01 covers the GE CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) and Clinical Information Center (CIC) systems, CARESCAPE B450, B650, B850 monitors. The vulnerabilities include unprotected storage of credentials, improper input validation, use of hard-coded credentials, missing authentication for critical function, unrestricted upload of file with dangerous type and inadequate encryption strength.

As of now GE said it was not aware of any reported incidences of a cyberattack in a clinical use or any reported injuries associated with any of these vulnerabilities.

The flaws

  • CVE-2020-6961, critical, a
    vulnerability that exists in the affected products that could allow an attacker
    to obtain access to the SSH private key in configuration files.;
  • CVE-2020-6962, critical, is an input
    validation vulnerability in the web-based system configuration utility that
    could allow an attacker to obtain arbitrary remote code execution;
  • CVE-2020-6963, critical, where the
    affected products utilize hard-coded SMB credentials, which may allow an
    attacker to remotely execute arbitrary code if exploited;
  • CVE-2020-6964, critical, where the
    integrated service for keyboard switching of the affected devices could allow attackers
    to obtain remote keyboard input access without authentication over the network;
  • CVE-2020-6965, critical, is a a
    vulnerability in the software update mechanism allows an authenticated attacker
    to upload arbitrary files on the system through a crafted update package;
  • CVE-2020-6966, critical, the affected
    products utilize a weak encryption scheme for remote desktop control, which may
    allow an attacker to obtain remote code execution of devices on the network.

GE is in the
process of developing and releasing patches for these issues. In the meantime,
the company recommends:

  • The MC and IX Networks are isolated
    and if connectivity is needed outside the MC and/or IX Networks, a router/firewall
    is used.
  • MC and IX Router/Firewall should be
    set up to block all incoming traffic initiated from outside the network, with
    exceptions for needed clinical data flows.
  • Restricted physical access to central
    stations, telemetry servers, and the MC and IX networks. Default passwords for
    Webmin should be changed as recommended.
  • Password management best practices
    are followed.
  • The best way to stamp out
    vulnerabilities is to find them as soon as possible by using a secure
    development life cycle (SDLC). At every stage of product development,
    vulnerabilities are identified and eradicated.

Even though
there are upcoming patches and temporary workarounds Jonathan Knudsen, senior
security strategist with Synopsys, noted such vulnerabilities should be
discovered during the development phase and not after they have been released.

“In the
design phase, this takes the form of using threat modeling and other techniques
to identify design vulnerabilities and the security controls that are necessary
to reduce the risk of the system,” he said.