Details of VAR-201508-0597

ID

VAR-201508-0597

CVE

CVE-2014-7233

TITLE

GE Healthcare Precision THUNIS-800+ Trust Management Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-05135 // CNNVD: CNNVD-201508-036

DESCRIPTION

GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973 for the factory default System Utilities menu, (2) TH8740 for installation using TH8740_122_Setup.exe, (3) hrml for "Setup and Activation" using DSASetup, and (4) an empty string for Shutter Configuration, which has unspecified impact and attack vectors. NOTE: since these passwords appear to be used to access functionality during installation, this issue might not cross privilege boundaries and might not be a vulnerability. GE Healthcare Precision THUNIS-800+ (PT800+) is an integrated digital remote control multi-function X-ray machine (X-ray generating equipment) for the medical industry. There is a security vulnerability in GE Healthcare PT800+. An attacker could exploit this vulnerability to control the device. Remote attackers with knowledge of the default credentials may exploit these vulnerabilities to gain unauthorized access and perform unauthorized actions. This may aid in further attacks

Trust: 2.43

sources: NVD: CVE-2014-7233 // JVNDB: JVNDB-2015-004011 // CNVD: CNVD-2015-05135 // BID: 76170

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-05135

AFFECTED PRODUCTS

vendor:	gehealthcare	model:	precision thunis-800\+	scope:	eq	version:	*	Trust: 1.0
vendor:	ge healthcare	model:	precision thunis-800+	scope:	-	version:	-	Trust: 0.8
vendor:	ge	model:	precision thunis-800+	scope:	-	version:	-	Trust: 0.6
vendor:	gehealthcare	model:	precision thunis-800\+	scope:	-	version:	-	Trust: 0.6
vendor:	general	model:	electric healthcare precision thunis-800+	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2015-05135 // BID: 76170 // JVNDB: JVNDB-2015-004011 // CNNVD: CNNVD-201508-036 // NVD: CVE-2014-7233

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-7233
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-7233
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-05135
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201508-036
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-7233
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-05135
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2015-05135 // JVNDB: JVNDB-2015-004011 // CNNVD: CNNVD-201508-036 // NVD: CVE-2014-7233

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2015-004011 // NVD: CVE-2014-7233

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-036

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201508-036

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004011

PATCH

title:

GE Healthcare Precision THUNIS-800+ R&F System Service Manual

url:

http://apps.gehealthcare.com/servlet/ClientServlet/5458232-1EN+r4.pdf?REQ=RAA&DIRECTION=5458232-1EN&FILENAME=5458232-1EN%2Br4.pdf&FILEREV=4&DOCREV_ORG=4

Trust: 0.8

sources: JVNDB: JVNDB-2015-004011

EXTERNAL IDS

db:	NVD	id:	CVE-2014-7233	Trust: 3.3
db:	ICS CERT	id:	ICSMA-18-037-02	Trust: 1.8
db:	JVNDB	id:	JVNDB-2015-004011	Trust: 0.8
db:	CNVD	id:	CNVD-2015-05135	Trust: 0.6
db:	CNNVD	id:	CNNVD-201508-036	Trust: 0.6
db:	BID	id:	76170	Trust: 0.3

sources: CNVD: CNVD-2015-05135 // BID: 76170 // JVNDB: JVNDB-2015-004011 // CNNVD: CNNVD-201508-036 // NVD: CVE-2014-7233

REFERENCES

url:	http://www.forbes.com/sites/thomasbrewster/2015/07/10/vulnerable-breasts/	Trust: 2.7
url:	https://twitter.com/digitalbond/status/619250429751222277	Trust: 1.9
url:	http://apps.gehealthcare.com/servlet/clientservlet/5458232-1en+r4.pdf?req=raa&direction=5458232-1en&filename=5458232-1en%2br4.pdf&filerev=4&docrev_org=4	Trust: 1.9
url:	https://ics-cert.us-cert.gov/advisories/icsma-18-037-02	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7233	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7233	Trust: 0.8
url:	http://apps.gehealthcare.com/servlet/clientservlet/5458232-1en+r4.pdf?req=raa&direction=5458232-1en&filename=5458232-1en%2br4.pdf&filerev=4&docrev_org=4	Trust: 0.6
url:	http://www3.gehealthcare.com/en/global_gateway	Trust: 0.3

sources: CNVD: CNVD-2015-05135 // BID: 76170 // JVNDB: JVNDB-2015-004011 // CNNVD: CNNVD-201508-036 // NVD: CVE-2014-7233

CREDITS

Scott Erven of Protiviti.

Trust: 0.3

sources: BID: 76170

SOURCES

db:	CNVD	id:	CNVD-2015-05135
db:	BID	id:	76170
db:	JVNDB	id:	JVNDB-2015-004011
db:	CNNVD	id:	CNNVD-201508-036
db:	NVD	id:	CVE-2014-7233

LAST UPDATE DATE

2024-08-14T13:33:49.979000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-05135	date:	2015-08-06T00:00:00
db:	BID	id:	76170	date:	2015-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2015-004011	date:	2018-04-02T00:00:00
db:	CNNVD	id:	CNNVD-201508-036	date:	2015-08-05T00:00:00
db:	NVD	id:	CVE-2014-7233	date:	2018-03-28T01:29:03.293

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-05135	date:	2015-08-06T00:00:00
db:	BID	id:	76170	date:	2015-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2015-004011	date:	2015-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201508-036	date:	2015-08-05T00:00:00
db:	NVD	id:	CVE-2014-7233	date:	2015-08-04T14:59:25.720