Missing Authentication for Critical Function in GE products - CVE-2020-6964
Published: January 24, 2020
Vulnerability identifier: #VU24506
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-6964
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE
Affected software:
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication on an affected device.
The vulnerability exists due to an issue in the integrated service for keyboard switching of the affected devices. A remote attacker can obtain remote keyboard input access without authentication over the network.
Note: This vulnerability affects the following versions of GE products:
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Central Station (CSCS), Versions 2.X
How to mitigate CVE-2020-6964
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.