Critical, Unpatched ‘MDhex’ Bugs Threaten Hospital Devices

The Feds have warned on six vulnerabilities in GE medical equipment that could affect patient monitor alarms and more.

A collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals has been discovered. Dubbed “MDhex” by the researchers at CyberMDX who discovered them, the bugs would allow attackers to disable the devices, harvest personal health information (PHI), change alarm settings and alter device functionality.

According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which disclosed the bugs on Thursday, the six different design flaws are present in the GE CARESCAPE product line.

Affected products include certain versions of the CARESCAPE Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor.

“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX noted in a statement sent to Threatpost. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”

Five of the bugs have CVSS (v3.1) scores of 10, making them critical in severity:

  • CVE-2020-6961, which could allow an attacker to obtain access to the SSH private key in configuration files thanks to improper storage;
  • CVE-2020-6962, which is an improper input validation bug that exists in the products’ web-based system configuration utility. Exploitation could allow an attacker to obtain arbitrary remote code execution (RCE);
  • CVE-2020-6963, which enables rogue SMB (Windows file-share) connections as a result of credentials being hardcoded in Windows XP Embedded (XPe) operating system. This also would allow RCE;
  • CVE-2020-6964, which exists in the integrated service for keyboard switching of the affected devices. Missing authentication means that attackers can obtain remote keyboard input access;
  • And CVE-2020-6965, which is an unrestricted upload vulnerability in the software update mechanism that allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.

The remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 severity scale. CVE-2020-6966 arises from affected products using a weak encryption scheme for remote desktop control, which may allow an attacker to obtain RCE of devices on the network.

The MDhex vulnerabilities were named in reference to the number of CVEs issued (hex coming from the Greek for six) and their existence in medical devices (MD), as well as the potential for bad actors to wreak havoc from a distance “as in a witch’s hex,” Elad Luz, head of research at CyberMDX, told Threatpost. He added that they all present a direct path to a vulnerable device’s compromise, with a low bar for exploitation.

“The attack complexity on those vulnerabilities is rated low,” Luz said. “For some – credentials are publicly available. After obtaining credentials an attacker can use pretty standard software to complete the attack (such as file sharing, VNC, SSH Client). Most of the vulnerabilities are caused by hard-coded credentials (hard-coded, not default).”

He added, “Some of those credentials can be obtained from the product’s documentation, others can be recovered pretty easily from a device itself. Once obtained, those same credentials are relevant for the entire product line. Using them an attacker could perform a remote code execution. This means they can access data, alter it, change functionality and so on.”

If exploited, this vulnerability could directly impact the confidentiality, integrity and availability of devices — which in the case of alarms in patient monitors, means the equipment could fail to advise the nurse’s station of a problem.

“Most of the affected equipment can set the patient monitor’s alarm limits, admit or discharge patients, set date and time,” Luz said. “So far there haven’t been any evidence of attacks from these attacks in the wild. As I’m a cybersecurity researcher and not a physician, I wouldn’t want to speculate on what impact this could have on patient care, but I think it’s fair to say that any manipulation of a medical device by an external actor should be protected against.”

The vulnerabilities were first reported on September 18, and CyberMDX, GE and CISA collaborated on the responsible disclosure process. According to the CISA notice, GE is in the process of developing patches, which will be available here. In the meantime, mitigations include network segregation, the changing of default passwords and other best practices, CISA said.

The discovery of this crop of vulnerabilities is the latest in a line of concerning hospital equipment bugs.

Suggested articles