GE has recommendation and will provide updates and additional security information on an improper authentication vulnerability in its Aestiva and Aespire Anesthesia devices, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Elad Luz of CyberMDX, could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks.
The following versions of GE Aestiva and Aespire Anesthesia Machines, suffer from the remotely exploitable vulnerability:
• GE Aestiva and Aespire Versions 7100
• GE Aestiva and Aespire Versions 7900
A vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms.
CVE-2019-10966 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use in the healthcare and public health sectors and it primarily is deployed in the United States.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
GE Healthcare recommends organizations use secure terminal servers when connecting GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers provide robust security features, including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.
GE Healthcare recommends organizations utilize best practices for terminal servers that include governance, management, and secure deployment measures such as network segmentation, VLANs, and device isolation to enhance existing security measures.
GE Healthcare plans to provide updates and additional security information about this vulnerability for affected users.