Threat Intel: ICS Medical Advisory: GE CARESCAPE CV150 Patient Monitors

New Vulnerabilities have a CVSS base score of 5.3
Cynerio
News
Jan 8, 2021

Advisory Information

An ICS Medical Advisory (ICSMA-21-007-01) was issued on January 7, 2021 on two improper neutralization vulnerabilities found in Innokas Medical devices developed in partnership with GE Healthcare. These vulnerabilities have a CVSS v3 base score of 5.3 and are the second set of CVEs in GE products discovered in the last month. 

Devices Affected

Innokas Yhtymä Oy Vital Signs Monitors (GE CARESCAPE VC150), versions 1.7.15 and earlier are affected.

Vulnerability Details

If successfully exploited, threat actors can gain access to the devices, modify communications, and disable critical features. 

  1. CVE-2020-27262 - This is a cross-site scripting (XSS) vulnerability with a CVSS v3 base score of 4.6 involving improper neutralization of input during web page generation. Successful exploitation can enable the injection of arbitrary HTML or web script through filename parameters, affecting various update endpoints of the device’s administrative web interface.
  2. CVE-2020-27260 - This vulnerability has a CVSS v3 base score of 5.3 involving the improper neutralization of special elements in output used by downstream components. Successful exploitation of the vulnerability requires threat actors to physically connect to the device with a barcode reader, and allows the injection of HL7 v2.x segments into like messages through various parameters.

What Is the Vulnerability’s Impact on Health Care?

Innokas Yhtymä Oy Vital Signs Monitors (GE CARESCAPE VC150) measure blood pressure, body temperature, respiratory and pulse rates. The monitors are used for both intra-hospital transport and on-site care. 

If compromised, devices may stop functioning, ultimately disrupting patient care. Patient information can also be falsified, further jeopardizing treatment plans and patient safety. 

What You Can Do to Mitigate the Threat & How Cynerio Can Help

Step 1:  Work with Cynerio to identify all affected devices on your network

Step 2: Update your Innokas Yhtymä Oy Vital Signs Monitors (GE CARESCAPETM VC150) devices to version 1.7.15b or later and administer the patch

Step 3: Restrict physical access to the devices to trusted and necessary personnel to prevent unauthorized access

Step 4: Work with Cynerio to quickly configure safe segmentation policies to limit device access to the Internet and prevent remote access to the device; where necessary, Cynerio can help quarantine/isolate affected and infected devices

References

https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01 

https://www.gehealthcare.com/en-US/security

Keep your finger on the pulse of Healthcare IoT security