Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink (Update B)

CVSS 7.4 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow modification of system settings and remote code execution.

CVE-2018-6020 CVE-2018-6021

Silex Technologies and GE Healthcare recommend the following mitigations:
CVE-2018-6020 (GE MobileLink/SX-500) - Enable the update account within the web interface, which is not enabled by default. Set the secondary password for the update account to prevent unauthenticated changes to the device configuration.
CVE-2018-6021 (GE MobileLink/GEH-SD-320AN) - Silex Technology and GE Healthcare have produced an updated firmware image (Version 1.14) for the GEH-SD-320AN, which is now available for download at the following location:
http://silextechnology.com/geh320an/
GE Healthcare has released a security notice that can be viewed at:
http://www3.gehealthcare.com/en/support/security
The firmware update (Version 2.0.3) for SD-320AN is separate from GEH-SD-320AN and is available for download from Silex Technology at the following link:
https://www.silextechnology.com/connectivity-solutions/device-connectivity/sd-320an
Note that this update does not pertain to the listed GEH device. Contact Silex Technology for more information regarding download and application of this new firmware.

Silex Technology and GE Healthcare

Silex Technology and GE Healthcare · SX-500 * (end-of-life 2011)

Silex Technology and GE Healthcare · GEH-500 <= 1.54 (integrated into GE MobileLink)

Silex Technology and GE Healthcare · GEH-SD-320AN <= GEH-1.1 (integrated into GE MobileLink)

Silex Technology and GE Healthcare · SD-320AN <= 2.01 (end-of-life Nov 2017)

Healthcare and Public Health

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.