GE Voluson S8 Kiosk Mode protection mechanism

Summaryinfo

A vulnerability labeled as critical has been found in GE Voluson S8. Affected is an unknown function of the component Kiosk Mode. Executing a manipulation can lead to protection mechanism. This vulnerability is tracked as CVE-2020-6977. The attack is restricted to local execution. Moreover, an exploit is present. Applying the suggested workaround is recommended.

Detailsinfo

A vulnerability was found in GE Voluson S8 (Medical Device Software) (the affected version unknown). It has been declared as critical. This vulnerability affects an unknown part of the component Kiosk Mode. The manipulation with an unknown input leads to a protection mechanism vulnerability. The CWE definition for the vulnerability is CWE-693. The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality of affected devices. Specially crafted inputs can allow the user to escape the restricted environment, resulting in access to the underlying operating system. Affected devices include the following GE Ultrasound Products: Vivid products - all versions; LOGIQ - all versions not including LOGIQ 100 Pro; Voluson - all versions; Versana Essential - all versions; Invenia ABUS Scan station - all versions; Venue - all versions not including Venue 40 R1-3 and Venue 50 R4-5

The bug was discovered 01/09/2019. The weakness was disclosed 02/18/2020 by Marc Ruef and Rocco Gagliardi with scip AG as VulDB 129832 as confirmed entry (VulDB). The advisory is shared for download at vuldb.com. The public release has been coordinated in cooperation with the vendor. This issue is part of multiple weaknesses that were reported to GE Healthcare. Not all of them were accepted and addressed with a software patch. The vulnerabilities not accepted were published with a delay and without technical details to prevent attackers from gaining an advantage. This vulnerability was named CVE-2020-6977. The attack needs to be approached locally. No form of authentication is required for a successful exploitation. Technical details are unknown but a private exploit is available.

A private exploit has been developed by Marc Ruef/Rocco Gagliardi. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 405 days. During that time the estimated underground price was around $0-$5k.

The best possible mitigation is suggested to be Workaround. The entry contains the following remark:

GE Healthcare recommends organizations restrict physical access to devices by unauthorized individuals. Additionally, where available, GE recommends users enable the “system lock” password in the Administration GUI menu if possible. This will require a password to be entered before the system can be accessed. The ‘system lock’ would limit non-authenticated users from accessing the application.

Additional details are provided at us-cert.gov. The entries VDB-129835, VDB-129834 and VDB-129833 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Medical Device Software

Vendor

• GE

Name

• Voluson S8

License

• commercial

Website

• Vendor: https://www.ge.com/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion