CyberMDX Company information about , affecting various GE Healthcare medical devices designed to monitor patient conditions. Five vulnerabilities are assigned the maximum severity level (CVSSv3 10 out of 10). The vulnerabilities have been codenamed MDhex and are mainly related to the use of previously known pre-installed credentials used across the entire series of devices.
- CVE-2020-6961 - delivery on devices of a common SSH key for the entire product line, which allows you to connect to any device and execute code on it. This key is also used during the update delivery process.
- CVE-2020-6962 - predefined credentials common to all devices for write and read access to the file system via the SMB protocol;
- CVE-2020-6963 - the ability to use MultiMouse and Kavoom KM applications to remotely control a device (simulate keyboard, mouse and clipboard) without authentication;
- CVE-2020-6964 - predefined VNC connection parameters for all devices;
- CVE-2020-6965 - preset a version of Webmin that allows remote access with root rights;
- CVE-2020-6966 – The update installation manager used on devices allows update spoofing (updates are authenticated by a known SSH key).
The problems affect the telemetry collection servers ApexPro and CARESCAPE Telemetry Server, the CIC (Clinical Information Center) and CSCS (CARESCAPE Central Station) platforms, as well as the B450, B650 and B850 patient monitoring systems. The vulnerabilities allow full control over devices, which can be used to make changes at the operating system level, disable an alarm, or spoof patient data.
To attack, the attacker must be able to establish a network connection to the device, for example by connecting to a hospital network. As protection workarounds isolate the subnet with medical devices from the general hospital network and block network ports 22, 137, 138, 139, 445, 10000, 5225, 5800, 5900 and 10001 on the firewall.
Source: opennet.ru
