Protection Mechanism Failure in GE Ultrasound products



Published: 2020-02-19
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2020-6977
CWE-ID CWE-693
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Vivid products
Hardware solutions / Medical equipment

LOGIQ
Hardware solutions / Medical equipment

Voluson
Hardware solutions / Medical equipment

Versana Essential
Hardware solutions / Medical equipment

Invenia ABUS Scan station
Hardware solutions / Medical equipment

Venue
Hardware solutions / Medical equipment

Vendor GE

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Protection Mechanism Failure

EUVDB-ID: #VU25442

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-6977

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to the operating system of affected devices.

The vulnerability exists due to a restricted desktop environment escape in the "Kiosk Mode" functionality. An attacker with physical access can use specially crafted inputs and escape the restricted environment, resulting in access to the underlying operating system.

Note: This vulnerability does not affect LOGIQ 100 Pro, Venue 40 R1-3 and Venue 50 R4-5.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Vivid products: All versions

LOGIQ: All versions

Voluson: All versions

Versana Essential: All versions

Invenia ABUS Scan station: All versions

Venue: All versions

CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsma-20-049-02


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###