CVE-2020-6965 — CRITICAL (9.9)

Q: How severe is CVE-2020-6965?

CVE-2020-6965 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-6965?

Check the references section above for vendor advisories and patch information. Affected products include: Gehealthcare Apexpro Telemetry Server Firmware, Gehealthcare Apexpro Telemetry Server, Gehealthcare Carescape B450 Monitor Firmware, Gehealthcare Carescape B450 Monitor, Gehealthcare Carescape B650 Monitor Firmware.

Vulnerability Description

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gehealthcare	Apexpro Telemetry Server Firmware	<= 4.2
Gehealthcare	Apexpro Telemetry Server	-
Gehealthcare	Carescape B450 Monitor Firmware	2.0
Gehealthcare	Carescape B450 Monitor	-
Gehealthcare	Carescape B650 Monitor Firmware	1.0
Gehealthcare	Carescape B650 Monitor	-
Gehealthcare	Carescape B850 Monitor Firmware	1.0
Gehealthcare	Carescape B850 Monitor	-
Gehealthcare	Carescape Central Station Mai700 Firmware	1.0
Gehealthcare	Carescape Central Station Mai700	-
Gehealthcare	Carescape Central Station Mas700 Firmware	1.0
Gehealthcare	Carescape Central Station Mas700	-
Gehealthcare	Clinical Information Center Mp100D Firmware	4.0
Gehealthcare	Clinical Information Center Mp100D	-
Gehealthcare	Clinical Information Center Mp100R Firmware	4.0
Gehealthcare	Clinical Information Center Mp100R	-
Gehealthcare	Carescape Telemetry Server Mp100R Firmware	<= 4.2
Gehealthcare	Carescape Telemetry Server Mp100R	-

Related Weaknesses (CWE)

CWE-434 CWE-20

References

https://www.us-cert.gov/ics/advisories/icsma-20-023-01Third Party AdvisoryUS Government Resource
https://www3.gehealthcare.com/~/media/downloads/us/support/site-planning/site-reProduct
https://www.us-cert.gov/ics/advisories/icsma-20-023-01Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2020-6965?

CVE-2020-6965 is a vulnerability with a CVSS score of 9.9 (CRITICAL). In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450...

How severe is CVE-2020-6965?

CVE-2020-6965 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-6965?

Check the references section above for vendor advisories and patch information. Affected products include: Gehealthcare Apexpro Telemetry Server Firmware, Gehealthcare Apexpro Telemetry Server, Gehealthcare Carescape B450 Monitor Firmware, Gehealthcare Carescape B450 Monitor, Gehealthcare Carescape B650 Monitor Firmware.