Inadequate Encryption Strength in GE products - CVE-2020-6966
Published: January 24, 2020
Vulnerability identifier: #VU24508
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-6966
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GE
Affected software:
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
ApexPro Telemetry Server
CARESCAPE Telemetry Server
Clinical Information Center (CIC)
CARESCAPE Central Station (CSCS)
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target device.
The vulnerability exists due to the affected products utilize a weak encryption scheme for remote desktop control. A remote attacker can execute arbitrary code on devices on the network.
Note: This vulnerability affects the following versions of CIC and CSCS:
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Central Station (CSCS), Versions 1.X
How to mitigate CVE-2020-6966
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.