ICSMA-19-190-01 · Published 2019-07-23 · View on CISA ICS-CERT ↗

GE Aestiva and Aespire Anesthesia (Update A)

CVSS 5.3 MEDIUM

Risk Summary

Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks.

CVEs (1)

CVE-2019-10966

Remediations

GE Healthcare recommends organizations use secure terminal servers when connecting GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers provide robust security features, including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.
GE Healthcare recommends that organizations utilize best practices for terminal servers that include governance, management, and secure deployment measures such as network segmentation, VLANs, and device isolation to enhance existing security measures.
GE Healthcare plans to provide updates and additional security information about this vulnerability for affected users at the following location:
http://www3.gehealthcare.com/en/support/security
https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

Affected Vendors

General Electric (GE)

Affected Products (4)

General Electric (GE) · GE Aespire 7100 | 7900 | 100 | Protiva Carestation View

General Electric (GE) · GE Aestiva 7100 | 7900 MRI

General Electric (GE) · GE Carestation 620 | 650 | 650c

General Electric (GE) · GE Aisys CS2 Avance | Amingo | Avance CS2

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more