CVE-2020-6962

EUVD-2020-28102

24.01.2020, 17:15

In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Telemetry Server Version 4.3, CARESCAPE Central Station (CSCS) Versions 1.X CARESCAPE Central Station (CSCS) Versions 2.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, an input validation vulnerability exists in the web-based system configuration utility that could allow an attacker to obtain arbitrary remote code execution.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Affected Products (NVD)

Vendor	Product	Version
gehealthcare	apexpro_telemetry_server_firmware	𝑥 ≤ 4.2
gehealthcare	apexpro_telemetry_server_firmware	4.3
gehealthcare	carescape_b450_monitor_firmware	2.0
gehealthcare	carescape_b650_monitor_firmware	1.0
gehealthcare	carescape_b650_monitor_firmware	2.0
gehealthcare	carescape_b850_monitor_firmware	1.0
gehealthcare	carescape_b850_monitor_firmware	2.0
gehealthcare	carescape_central_station_mai700_firmware	1.0
gehealthcare	carescape_central_station_mai700_firmware	2.0
gehealthcare	carescape_central_station_mas700_firmware	1.0
gehealthcare	carescape_central_station_mas700_firmware	2.0
gehealthcare	clinical_information_center_mp100d_firmware	4.0
gehealthcare	clinical_information_center_mp100d_firmware	5.0
gehealthcare	clinical_information_center_mp100r_firmware	4.0
gehealthcare	clinical_information_center_mp100r_firmware	5.0
gehealthcare	carescape_telemetry_server_mp100r_firmware	𝑥 ≤ 4.2
gehealthcare	carescape_telemetry_server_mp100r_firmware	4.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://www.us-cert.gov/ics/advisories/icsma-20-023-01

https://www3.gehealthcare.com/~/media/downloads/us/support/site-planning/site-readiness/gehc-gateway_project_implementation_guide_pdf.pdf

https://www.us-cert.gov/ics/advisories/icsma-20-023-01