CVE-2020-6977

Name of the Vulnerable Software and Affected Versions GE HealthCare Ultrasound Products versions all versions Vivid products versions all versions LOGIQ versions all versions, excluding LOGIQ 100 Pro Voluson versions all versions Versana Essential versions all versions Invenia ABUS Scan station versions all versions Venue versions all versions, excluding Venue 40 R1-3 and Venue 50 R4-5

Description The issue is related to a security mechanism bypass in the Kiosk Mode of GE HealthCare ultrasound systems, allowing an attacker to bypass security restrictions, gain unauthorized access to protected information, and elevate their privileges. A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality, enabling a user to escape the restricted environment with specially crafted inputs and access the underlying operating system.

Recommendations For Vivid products, restrict access to the Kiosk Mode functionality until a patch is available. For LOGIQ, excluding LOGIQ 100 Pro, consider disabling the Kiosk Mode feature to minimize the risk of exploitation. For Voluson, Versana Essential, and Invenia ABUS Scan station, avoid using the Kiosk Mode until the issue is resolved. For Venue, excluding Venue 40 R1-3 and Venue 50 R4-5, temporarily disable the Kiosk Mode to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.