Xhibit Telemetry Receiver Vulnerable to Critical BlueKeep Windows Vulnerability
The Xhibit Telemetry Receiver (XTR) with model number 96280, v1.0.2, including all versions of the currently unsupported Xhibit Arkon (99999) were found to have critical BlueKeep Remote code execution vulnerability.
The vulnerability, referred to as CVE-2019-0708, impacts the Remote Desktop Protocol function of the main Microsoft Windows operating system. An attacker could exploit the vulnerability by transmitting specially designed packets to Windows operating systems that have enabled RDP. The pre-authenticated vulnerability means that user interaction is not necessary to exploit the vulnerability. The BlueKeep vulnerability is additionally worm-able. Malware can be created to take advantage of the vulnerability enabling its spread to other vulnerable systems. The same thing happened in the 2017 WannaCry ransomware attacks.
A remote attacker who successfully exploits the vulnerability could add accounts having total user rights, view, modify or erase files, execute arbitrary code and install programs on vulnerable systems. The BlueKeep vulnerability is found in Windows Vista, Windows 2000, Windows XP, Windows 7, and Windows Server 2003 R2, 2003, 2008 R2, and 2008.
Microsoft uncovered the vulnerability while SpaceLabs notified CISA about the vulnerability. The vulnerability has an assigned CVSS V3 base rating of 9.8 out of 10.
All deployed XTR hardware appliances must be updated to run using the most current software release, v1.2.1 or later. Nevertheless, there is no update nor patches for the unsupported Arkon products. According to SpaceLabs, the workaround for these products is to block the enterprise perimeter firewall for TCP Port 3389. TCP Port 3389 is necessary to start RDP sessions. By blocking the port, both exploitation and legitimate RDP sessions will be blocked. This action won’t stop the exploitation of the vulnerability from within the network thus physical controls should also be applied to limit product access to authorized people only.
GE Healthcare Ultrasound Products Vulnerability
There is a vulnerability discovered in particular GE Healthcare ultrasound products that could enable an attacker to bypass defenses and access the main operating system.
The vulnerability is referred to as CVE-2020-6977 with an assigned CVSS V3 base rating of 6.8 out of 10.
The vulnerability affects the following GE Healthcare products:
- LOGIQ, all versions, except LOGIQ 100 Pro
- Versana Essential, all versions
- Voluson, all versions
- Vivid products, all versions
- Venue, all versions, except Venue 40 R1-3 and Venue 50 R4-5
- Invenia ABUS Scan station, all versions
An attacker cannot exploit the vulnerability remotely, however, someone who has physical access to the vulnerable products can manipulate the vulnerability to avoid Kiosk Mode.
In order to prevent exploitation, restrict physical access to vulnerable products. If possible, enable the “system lock” password in the Administration GUI menu. Enabling the system lock will require a password to access the system.
Marc Ruef and Rocco Gagliardi of scip AG identified the vulnerability while Jonathan Bouman of Protozoan.nl and Michael Aguilar of Secureworks provided more information.