Bug in Anesthesia Machines Allows Changing Gas Mix Levels


A vulnerability in the firmware of some anesthesia machines used in hospitals could be abused to change normal functionality up to the point of adjusting the level of inhalational substances.

The flaw affects GE Aestiva and GE Aespire anesthesia systems, models 7100 and 7900, from GE Healthcare (part of General Electric Company) and permits sending them commands over the local network.

A threat actor would need to be on the same network as the vulnerable machines and there is not need for special privileges. If the system is connected to a terminal server, knowing the IP address of the targets is not necessary.

Read more…
Source: Bleeping Computer