CVE-2020-6965 - Vulnerability Details

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.003.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

GE CARESCAPE Telemetry Server,ApexPro Telemetry Server,CARESCAPE Central Station,Clinical Information Center systems,CARESCAPE B450,B650,B850 Monitors

affected

Version	Status	Constraints
`ApexPro Telemetry Server,v4.2 & prior,CARESCAPE Telemetry Server, v4.2 & prior,Clinical Information Center,v4.X& 5.X,CARESCAPE Telemetry Server,v4.3,CARESCAPE Central Station,v1.X,CARESCAPE Central Station,v2.X,B450,v2.X,B650,v1.X,B650,v2.X,B850,v1.X,B850,v2.X`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:gehealthcare:apexpro_telemetry_server_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gehealthcare:apexpro_telemetry_server:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:gehealthcare:carescape_b450_monitor_firmware:2.0:*:*:*:*:*:*:*

cpe:2.3:h:gehealthcare:carescape_b450_monitor:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

OR	cpe:2.3:o:gehealthcare:carescape_b650_monitor_firmware:1.0:::::::*
	cpe:2.3:o:gehealthcare:carescape_b650_monitor_firmware:2.0:::::::*

cpe:2.3:h:gehealthcare:carescape_b650_monitor:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

OR	cpe:2.3:o:gehealthcare:carescape_b850_monitor_firmware:1.0:::::::*
	cpe:2.3:o:gehealthcare:carescape_b850_monitor_firmware:2.0:::::::*

cpe:2.3:h:gehealthcare:carescape_b850_monitor:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:gehealthcare:carescape_central_station_mai700_firmware:1.0:*:*:*:*:*:*:*

cpe:2.3:h:gehealthcare:carescape_central_station_mai700:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:gehealthcare:carescape_central_station_mas700_firmware:1.0:*:*:*:*:*:*:*

cpe:2.3:h:gehealthcare:carescape_central_station_mas700:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

OR	cpe:2.3:o:gehealthcare:clinical_information_center_mp100d_firmware:4.0:::::::*
	cpe:2.3:o:gehealthcare:clinical_information_center_mp100d_firmware:5.0:::::::*

cpe:2.3:h:gehealthcare:clinical_information_center_mp100d:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

OR	cpe:2.3:o:gehealthcare:clinical_information_center_mp100r_firmware:4.0:::::::*
	cpe:2.3:o:gehealthcare:clinical_information_center_mp100r_firmware:5.0:::::::*

cpe:2.3:h:gehealthcare:clinical_information_center_mp100r:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:gehealthcare:carescape_telemetry_server_mp100r_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gehealthcare:carescape_telemetry_server_mp100r:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Gehealthcare Subscribe	Apexpro Telemetry Server Subscribe Apexpro Telemetry Server Firmware Subscribe Carescape B450 Monitor Subscribe Carescape B450 Monitor Firmware Subscribe Carescape B650 Monitor Subscribe Carescape B650 Monitor Firmware Subscribe Carescape B850 Monitor Subscribe Carescape B850 Monitor Firmware Subscribe Carescape Central Station Mai700 Subscribe Carescape Central Station Mai700 Firmware Subscribe Carescape Central Station Mas700 Subscribe Carescape Central Station Mas700 Firmware Subscribe Carescape Telemetry Server Mp100r Subscribe Carescape Telemetry Server Mp100r Firmware Subscribe Clinical Information Center Mp100d Subscribe Clinical Information Center Mp100d Firmware Subscribe Clinical Information Center Mp100r Subscribe Clinical Information Center Mp100r Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2020-28105	In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsma-20-023-01
https://www3.gehealthcare.com/~/media/downloads/us/support/site-planning/site-readiness/gehc-gateway_project_implementation_guide_pdf.pdf

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-01-24T17:06:53

Updated: 2024-08-04T09:18:02.543Z

Reserved: 2020-01-14T00:00:00

Link: CVE-2020-6965

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-24T18:15:12.647

Modified: 2024-11-21T05:36:24.030

Link: CVE-2020-6965

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object