Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States.

The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device.

The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration.

The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900.

GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no introduction of clinical hazard of direct patient risk.” When the device is in use, changes would not alter the delivery of therapy to a patient and exploitation of the vulnerability would not result in information exposure.

GE Healthcare has provided mitigations to prevent exploitation of the vulnerability. When connecting GE Healthcare anesthesia device serial ports to TCP/IP networks, secure terminal servers should be used and best practices for terminal servers should be followed.

The security features of secure terminal servers include user authentication, strong encryption, network controls, VPN, logging and audit capability, and secure configuration and management options.

Best practices to adopt include governance, management, and secure deployment measures, including the use of VLANS, device isolation, and network segmentation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.