Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink (Update B)

Plan Patch7.4ICS-CERT ICSMA-18-128-01May 8, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities in Silex Technology SX-500 and GE Healthcare MobileLink devices allow attackers with low-privilege network access to modify system settings and execute remote commands. CVE-2018-6020 affects SX-500 and GE MobileLink via improper credential handling in the update account. CVE-2018-6021 affects GEH-SD-320AN via insufficient input validation. Both are end-of-life products with limited patching available.

What this means

What could happen

An attacker with valid low-privilege credentials could modify device configuration settings or run arbitrary commands, potentially disrupting clinical workflows, compromising patient data access, or disabling medical device connectivity on the hospital network.

Who's at risk

Healthcare IT staff operating Silex SX-500 network appliances and GE MobileLink patient monitoring or telemedicine devices. The SX-500 series and older GEH-500 units are out of support since 2011–2017. Any organization still running these devices for patient data routing, monitoring gateway, or network bridge functions should treat them as decommissioning candidates.

How it could be exploited

An attacker with network access and low-privilege credentials (e.g., standard user account) could authenticate to the device's web interface and exploit improper account or input validation mechanisms to escalate privileges, modify system settings, or inject and execute arbitrary code on the device.

Prerequisites

Network access to device web interface (port 80/443)
Valid low-privilege user credentials
Device connected to accessible network segment

Remotely exploitableLow complexity attackEnd-of-life products with no vendor patchesAuthentication required but low-privilegeAffects healthcare/clinical operations

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

1 with fix3 EOL

ProductAffected VersionsFix Status

SX-500: All* (end-of-life 2011)No fix (EOL)

GEH-500:≤ 1.54 (integrated into GE MobileLink)No fix (EOL)

GEH-SD-320AN:≤ GEH-1.1 (integrated into GE MobileLink)1.14

SD-320AN:≤ 2.01 (end-of-life Nov 2017)No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDFor SX-500 and GE MobileLink devices: Enable the update account in the web interface (disabled by default) and immediately set a strong secondary password to prevent unauthorized configuration changes

HARDENINGFor all affected devices: Restrict network access to the web interface to authorized engineering workstations and administrative subnets only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXFor GEH-SD-320AN only: Download and apply firmware update Version 1.14 from Silex Technology website (silextechnology.com/geh320an/)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SX-500: All, GEH-500:, SD-320AN:. Apply the following compensating controls:

HARDENINGConduct urgent decommissioning assessment for SX-500 (EOL 2011) and SD-320AN (EOL Nov 2017) units. Plan replacement with supported models within 6 months

CVEs (2)

CVE-2018-6020 CVE-2018-6021

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9cca71a3-298c-4a97-be39-ad213e80e6e9