An improper authentication vulnerability was found in the devices GE Aestiva and Aespire Anesthesia. Many hospitals all across American generally use these devices.
The CVE-2019-10966 vulnerability could make it possible for an attacker to remotely alter the parameters of a vulnerable device and silence the alarms. Possible changes include adjusting the parameters of gas composition to the ideal flow sensor measurements for gas density and adjusting the time appearing on the device.
The vulnerability is due to the exposure of specific terminal server executions that expand the serial ports of GE Healthcare anesthesia machine to TCP/IP networks. An attacker can take advantage of the vulnerability when serial devices are connected to a TCP/IP network setup by means of a more unsecured terminal server.
This vulnerability has a 5.3 out of 10 assigned CVSS v3 base score. The devices GE Aestiva and Aespire versions 7900 and 7100 were affected by the vulnerability.
GE Healthcare said that their devices are not directly affected by the vulnerability though attackers exploit the vulnerability. GE Healthcare has formally investigated the risks and affirmed that it does not have direct medical risk to patients. While being used, adjustments to the device wouldn’t change the delivery of treatment to patient and exploitation of the vulnerability wouldn’t expose information.
GE Healthcare has suggested mitigations to avoid the exploitation of the vulnerability. Use secure terminal servers when the serial ports of GE Healthcare anesthesia devices are linked to TCP/IP networks. Implement best practices for terminal servers.
The security features of safe terminal servers include the following: network security, strong encryption, user authentication, VPN, logging and audit options, secure settings and management solutions.
The best practices to stick to include the following: governance, operations, and safe deployment processes such as using VLANS, network segmentation and separation of device.