Critical, Unpatched Bugs Open GE Radiological Devices to Remote Code Execution

A CISA alert is flagging a critical default credentials issue that affects 100+ types of devices found in hospitals, from MRI machines to surgical imaging.

A pair of critical vulnerabilities have been discovered in dozens of GE Healthcare radiological devices popular in hospitals, which could allow an attacker to gain access to sensitive personal health information (PHI), alter data and even shut the machine’s availability down.

The flaws affect 100 different kinds of CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-Ray machines and ultrasound devices. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed the bugs on Tuesday, which were found by researchers at CyberMDX back in May. They carry a CVSS severity score of 9.8, making them critical, and patches are forthcoming, according to the alert.

“Successfully exploiting the vulnerability may expose sensitive data – such as PHI – or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI,” CyberMDX noted.

Healthcare Security in the COVID-19 Era

The bugs arise because of default credentials used with GE’s proprietary management software, which controls the devices’ integrated PC that runs a Unix-based operating system. The software manages the device as well as its maintenance and update procedures, which are carried out by GE over the internet.

The issue is that the update and maintenance software authenticates connections by using credentials that are publicly exposed and can be found online. The first bug (CVE-2020-25175) allows specific credentials to be exposed during transport over the network., while the second  CVE-2020-25179 allows exposed/default credentials to be utilized to access or modify sensitive information.

The firm first discovered the bugs after noticing similar patterns of unsecured communications between the medical devices and the corresponding vendor’s servers, across several different health database organizations (HDOs).

HDOs are regional health care databases that hold medical records, imaging files and more, to facilitate electronic medical record efforts for physicians and patients.

Further research showed that these communications were stemming from the aforementioned multiple recurring maintenance processes, which GE’s server automatically triggers at certain intervals, researchers said, in a Tuesday posting.

All of this means that a remote attacker can connect to a device with no user interaction or escalated privileges needed – and from there can access the unsecured communications flowing between the devices and the HDOs. The exploitation complexity level extremely low, researchers said.

“The maintenance protocols rely on the machine having certain services available/ports open and using specific globally used credentials,” according to CyberMDX. “These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.”

The affected product lines include: Brivo; Definium; Discovery; Innova; Optima; Odyssey; PetTrace; Precision; Seno; Revolution; Ventri; and Xeleris.

GE has confirmed the vulnerability, which impacts the radiological devices as well as certain workstations and imaging devices used in surgery, according to the CyberMDX alert. GE Healthcare plans to provide patches, it confirmed – but no timeline has been mapped out.

In the meantime, administrators should contact GE Healthcare and request a credentials change on all affected devices in a facility. Unfortunately, the change can only be performed by the GE Healthcare Support team.

This is the second group of unpatched issues for GE Healthcare devices this year. In January, CyberMDX disclosed a collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals. Dubbed “MDhex,” the bugs would allow attackers to disable the devices, harvest PHI change alarm settings and alter device functionality.

“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” said Elad Luz, head of research at CyberMDX. “Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles