Silex Technology and GE Healthcare have mitigations in play to take care of improper authentication and OS command injection vulnerabilities in their SX-500, SD-320AN and MobileLink products, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities could allow modification of system settings and remote code execution. Public exploits are available.
Eric Evenchick of Atredis Partners reported these vulnerabilities to Silex and GE and tested pre-release firmware and other mitigations confirming they resolved the vulnerabilities.
The following products from Silex Technology are affected. Some are not affected by both vulnerabilities:
• GEH-500 Version 1.54 and prior(integrated into GE MobileLink)
• SX-500 All Versions (End of Life 2011)
• GEH-SD-320AN Version GEH-1.1 and prior (integrated into GE MobileLink)
• SD-320AN Version 2.01 and prior (End of Life Nov 2017)
The following models of GE MAC Resting ECG analysis system may use the vulnerable MobileLink technology:
• MAC 3500
• MAC 5000 (End of Life 2012)
• MAC 5500
• MAC 5500 HD
In one vulnerability, authentication is not verified when making certain POST requests, which may allow attackers to modify system settings.
CVE-2018-6020 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
In addition, a system call parameter is not properly sanitized, which may allow remote code execution.
CVE-2018-6021 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.4.
The products see use in the healthcare and public health sectors. They also see action on a global basis.
Public exploits are available and an attacker with low skill level could leverage the holes.
Silex Technologies and GE Healthcare recommend the following mitigations:
1 CVE-2018-6020 (GE MobileLink/SX-500) – Enable the “update” account within the web interface, which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the device configuration.
2 CVE-2018-6021 (GE MobileLink/GEH-SD-320AN) – Silex Technology and GE Healthcare have produced an updated firmware image for the GEH-SD-320AN, which will be made available for download from GE Healthcare upon completion of testing by May 31, 2018.
GE Healthcare will post information pertaining to enabling the “update” account and download of new firmware.
The firmware update for SD-320AN is separate from GEH-SD-320AN and will be available for download from Silex Technology at a future date. This update does not pertain to the listed GEH device. Contact Silex Technology for more information regarding download and application of this new firmware.