Unprotected storage of credentials in GE products - CVE-2020-6961
Published: January 24, 2020
Vulnerability identifier: #VU24503
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-6961
CWE-ID: CWE-256
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE
Affected software:
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to other users' credentials.
The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. A remote attacker can obtain access to the SSH private key in configuration files.
Note: This vulnerability affects the following versions of CIC and CSCS:
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Central Station (CSCS), Versions 2.X
How to mitigate CVE-2020-6961
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.