PT-2020-19309 · Ge Healthcare · Apexpro Telemetry Server+3

Published

2020-01-24

Updated

2020-03-17

CVE-2020-6961

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ApexPro Telemetry Server versions 4.2 and prior CARESCAPE Telemetry Server versions 4.3 and prior Clinical Information Center (CIC) versions 4.X and 5.X CARESCAPE Central Station (CSCS) versions 1.X

Description A vulnerability exists in the affected products that could allow an attacker to obtain access to the SSH private key in configuration files.

Recommendations For ApexPro Telemetry Server versions 4.2 and prior, update to a version later than 4.2 to resolve the issue. For CARESCAPE Telemetry Server versions 4.3 and prior, update to a version later than 4.3 to resolve the issue. For Clinical Information Center (CIC) versions 4.X and 5.X, restrict access to configuration files containing SSH private keys until a patch is available. For CARESCAPE Central Station (CSCS) versions 1.X, consider disabling SSH access temporarily until a fix is provided.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-256CWE-522

Related Identifiers

CVE-2020-6961

Affected Products

Apexpro Telemetry Server

Carescape Central Station

Carescape Telemetry Server

Clinical Information Center

PT-2020-19309 · Ge Healthcare · Apexpro Telemetry Server+3

CVE-2020-6961

Weakness Enumeration

Related Identifiers

Affected Products

References · 4