11 Vulnerabilities Identified in GE HealthCare Ultrasound Products
Almost a dozen vulnerabilities have been identified in GE HealthCare Vivid Ultrasound machines that could be exploited by threat actors to access and alter patient data, and potentially install ransomware locally to render the devices unavailable. The vulnerabilities were identified by researchers at the Operational Technology (OT) vendor Nozomi Networks during a review of the GE HealthCare Vivid Ultrasound family and the companion software that is used to review the generated medical data. The main focus of the review was the Vivid T9 ultrasound system, its pre-installed Common Service Desktop web application, and the EchoPAC software.
The researchers identified 11 vulnerabilities that affect several systems and software products. The vulnerabilities were reported to GE HealthCare which issued a statement saying that existing controls mitigate the risks of exploitation of the flaws to an acceptable level, provided standard cybersecurity practices are followed, such as restricting physical access to the devices. Patches have been made available to fix the vulnerabilities which can be accessed by customers via the GE HealthCare Product Security Portal.
The affected devices are:
- Vivid products, not including EchoPAC: All versions
- LOGIQ, not including LOGIQ 100 Pro: All versions
- Voluson, not including ImageVault: All versions
- Versana Essential: All versions
- Invenia ABUS Scan station, not including VScan product line: All versions
- Venue, not including Venue 40 R1-3 and Venue 50 R4-5: All versions
In order to exploit the vulnerabilities, an attacker would need to gain access to the hospital environment and a vulnerable device, as an attacker would need to operate the embedded keyboard and trackpad, which limits the potential for exploitation. In the event of successful exploitation of the vulnerabilities, an attacker could ultimately achieve arbitrary code execution with administrative privileges.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since administrative privileges can be gained, it is possible to deactivate the security protections on the underlying Windows operating system. The researchers demonstrated that proof-of-concept ransomware could be used to render the Vivid T9 devices inoperable, as well as workstations running Echopac. For Echopac and Vivid T9, controls can be bypassed to access and manipulate all patient data stored in the companion SQL Anywhere database.
The vulnerability with the highest security rating is CVE-2024-27107, which is a critical flaw with a CVSS score of 9.6 and is due to the use of hard-coded credentials. Other vulnerabilities include a protection mechanism failure (CVE-2020-6977 – CVSS 8.4) that allows a threat actor to escape the kiosk mode functionality and access the underlying operating system; a command injection vulnerability (CVE-2024-1628 – CVSS 8.4), elevation of privilege vulnerabilities (CVE-2024-27110 – CVSS 8.4, CVE-2024-1486 – CVSS 7.4); path traversal vulnerabilities (CVE-2024-1630 – CVSS 7.7 and CVE-2024-1629 – CVSS 6.2); insufficiently protected credentials (CVE-2024-27109 – CVSS 7.6); and a lack of encryption for sensitive data (CVS-2024-27106 -CVSS 5.7).
