Share this article on:
Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.
Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.
Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.
CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.
CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.
CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.
CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.
CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.
CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.
CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.
According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:
- ApexPro Telemetry Server, Versions 4.2 and prior
- CARESCAPE Telemetry Server, Versions 4.2 and prior
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Telemetry Server, Version 4.3
- CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
- B450, Version 2.X
- B650, Version 1.X; Version 2.X
- B850, Version 1.X; Version 2.X
GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.
Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.
If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.
The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.
Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.
Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.