A vulnerability affecting several anesthesia and respiratory devices manufactured by General Electric (GE) Healthcare could allow attackers to manipulate the devices’ settings and silence alarms, CyberMDX researchers have found.
About the vulnerability (CVE-2019-10966)
CVE-2019-10966 affects versions 7100 and 7900 of the GE Aestive and GE Aespire machines, primarily used in the U.S.
The vulnerability is exploitable only if they are connected to a hospital network though their serial communication port and via terminal server, and only by an attacker who already has access to the network.
“Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks,” ICS-CERT
Support the originator by clicking the read the rest link below.
