Share this article on:
Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices.
Affected GE Healthcare Products
|MRI||Brivo, Optima, Signa|
|Ultrasound||EchoPAC, Image Vault, LOGIQ, Vivid, Voluson|
|X-Ray||AMX, Brivo, Definium, Discovery, Optima, Precision|
|Mammography||Seno, Senographe Pristina|
|Computed Tomography||BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution|
|Nuclear Medicine, PET/CT||Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris|
The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws MDHexRay, with both being assigned a CVSS v3 base score of 9.8 out of 10.
The first flaw is due to unprotected transport of credentials across the network and is tracked as CVE-2020-25175. The second flaw is due to the exposure of sensitive system information to an unauthorized control sphere, which could allow exposed/default credentials to be used to access or modify sensitive information.
The CyberMDX researchers found GE Healthcare’s maintenance protocols relied on having certain ports open and accessible to GE Healthcare to allow the devices to be remotely managed over the internet. While it is necessary for credentials to be used for the update and maintenance software, GE Healthcare would only change the default credentials at the request of a customer and the default credentials used by GE Healthcare could be easily found online. It is unclear how many customers requested the default credentials be changed.
Exploiting the vulnerabilities would require an attacker to already be connected to the hospital network. The default credentials could then be used to access vulnerable connected imaging devices and any data stored on the devices. The medical devices could not be accessed over the Internet by unauthorized users who do not have access to a hospital’s internal network. There are no reported cases of the vulnerabilities being exploited in the wild.
GE Healthcare has assessed the vulnerabilities and conducted a risk assessment and determined there are no patient safety concerns; however, the flaws do pose a risk to patient privacy. It would also be possible for an attacker to modify patient data, which could potentially influence the results of certain therapies. Since data only remains on the imaging machines for a limited amount of time before being transferred to PACS, the patient information that could be obtained or modified would be limited.
According to the DHS Cybersecurity and Infrastructure Security Agency (CISA), “If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges. A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”
While there is no patch available to correct the vulnerabilities, it is possible to mitigate the issue by changing the default password; however, that cannot be performed by end users, only by GE Healthcare. GE Healthcare is now notifying its customers and is helping affected customers change the default password and ensure that their product firewalls are set up properly. Customers are also being advised to follow best practices for network management and security. CyberMDX recommends restricting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listening state.