The National Cybersecurity and Communications Integration Center released an advisory May 8 detailing vulnerabilities discovered in a set of GE Healthcare and Silex Technology devices.
The NCCIC, part of the U.S. Department of Homeland Security, serves as a national hub for cybersecurity information and technical expertise and operates a 24/7 analysis and incident response center.
Here are five things to know about the vulnerabilities, which the NCCIC wrote have the potential to affect healthcare and public health sectors worldwide.
1. The affected devices comprise GE Healthcare's MobileLink electrocardiogram communication solution, along with Silex Technology's SX-500 and SD-320AN serial device servers.
2. A researcher with information security assessment company Atredis Partners identified the vulnerabilities and reported them to both companies. The vulnerabilities included potential improper authentication and potential operating system command injection, which may be exploited remotely.
3. The NCCIC noted public exploits targeting these vulnerabilities are already available and require a "low skill level to exploit." "Successful exploitation of these vulnerabilities could allow modification of system settings and remote code execution," the advisory reads.
4. GE Healthcare and Silex Technologies have developed firmware updates for some of the affected products and released recommendations on password practices to mitigate the vulnerabilities. GE Healthcare also plans to continue posting information regarding the mitigations on its website.
5. The NCCIC recommended users minimize network exposure for all control system devices and isolate control system networks and remote devices from the broader business network to reduce the risk of the vulnerabilities being exploited remotely.
To access the NCCIC's advisory, click here.