GE Aestiva and Aespire Anesthesia devices were found to have an improper authentication vulnerability. These devices are typically used in hospitals all over America.
The CVE-2019-10966 vulnerability can allow an attacker to remotely change the parameters of an affected device and quiet alarms. Potential modifications include changing the gas composition parameters to the desired flow sensor readings for gas density and modifying the time indicated on the device.
The vulnerability is a result of the exposure of particular terminal server implementations that extend the serial ports of GE Healthcare anesthesia device to TCP/IP networks. An attacker could exploit the vulnerability if serial devices are linked to a TCP/IP network configuration through an additional unsecured terminal server.
The vulnerability was issued a CVSS v3 base rating of 5.3. It affects the devices Aespire versions 7100 and 7900 and GE Aestiva.
GE Healthcare stated that this vulnerability does not affect GE Healthcare devices themselves. Although the vulnerability can be taken advantage of, GE Healthcare has confirmed after a formal risk investigation that there is no direct clinical risk to patient. While in use, changes to the device would not modify the delivery of patient treatment and vulnerability exploitation wouldn’t bring about information exposure.
GE Healthcare has presented mitigations to avert vulnerability exploitation. Secure terminal servers ought to be utilized when linking GE Healthcare anesthesia device serial ports to TCP/IP networks. Best practices for terminal servers ought to be implemented.
The security characteristics of secure terminal servers consist of strong encryption, user authentication, network security, logging and audit functions, VPN, safe configuration and management solutions.
Best practices to follow include governance, operations, and secure deployment procedures, which include the using VLANS, isolation of device, and network segmentation.