CVE-2010-5308 - GE Healthcare Optima MR360 does not require authentication for the HIPAA emergency login procedure,

CVE-2010-5308

Summary

GE Healthcare Optima MR360 does not require authentication for the HIPAA emergency login procedure, which allows physically proximate users to gain access via an arbitrary username in the Emergency Login screen. NOTE: this might not qualify for inclusion in CVE if unauthenticated emergency access is part of the intended security policy of the product, can be controlled by the system administrator, and is not enabled by default.

References

Vulnerable Configurations

cpe:2.3:o:gehealthcare:optima_mr360_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:gehealthcare:optima_mr360_firmware:-:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 05-08-2015 - 11:31)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

confirm	http://apps.gehealthcare.com/servlet/ClientServlet/MR360+operator+manual+paper.pdf?REQ=RAA&DIRECTION=5339461-1EN&FILENAME=MR360%2Boperator%2Bmanual%2Bpaper.pdf&FILEREV=4&DOCREV_ORG=4
misc	http://www.forbes.com/sites/thomasbrewster/2015/07/10/vulnerable-breasts/ https://twitter.com/digitalbond/status/619250429751222277

Last major update

05-08-2015 - 11:31

Published

04-08-2015 - 14:59

Last modified

05-08-2015 - 11:31