GE Healthcare Ultrasound Products Security Advisory Update
A CISA medical advisory has been updated to reflect a new vulnerability present in GE HealthCare ultrasound products
Summary
A CISA medical advisory has been updated to reflect a new vulnerability present in GE HealthCare ultrasound products
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated a medical advisory to reflect a new vulnerability (CVE-2024-1486) present in GE HealthCare ultrasound products. Successful exploitation of the vulnerabilities could allow an attacker with physical access to gain access to the operating system of affected devices.
Vulnerability details
- CVE-2020-6977 - CWE-693 - Protection Mechanism Failure
A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality of affected devices. Specially crafted inputs can allow the user to escape the restricted environment, resulting in access to the underlying operating system. This vulnerability has a CVSSv3 score of 8.4
- CVE-2024-1486 - CWE-286 - Incorrect User Management
These ultrasound products are vulnerable to privilege escalation via misconfigured access control lists. This vulnerability has a CVSSv3 base score of 7.4.
Remediation advice
Affected organisations are encouraged to review the CISA advisory ICSMA-20-049-02 and apply the relevant updates.
GE Healthcare recommends organisations restrict physical access to devices by unauthorised individuals. GE Healthcare recommends users enable the "system lock" password in the Administration GUI menu, if possible. This process will require a password to be entered before the system can be accessed. The ‘system lock' would limit non-authenticated users from accessing the application.
GE Healthcare recommends that users with questions reach out to a GE Healthcare service representative and users with an active support account visit the GE Healthcare product security portal (login required).
CISA recommends users take defensive measures to minimise the risk of exploitation of these vulnerabilities, such as:
- Ensure there is physical protections in place to prevent the devices from any unauthorised access.
- Encourage security awareness throughout the hospital staff to ensure clinical staff will report any unauthorised person trying to login or otherwise tamper with a medical device.
- Educate employees on social engineering, both online and on-site, which is often used to gain access to unauthorised resources.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 17 May 2024 4:18 pm