Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/23/2020
01:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Severe Vulnerabilities Discovered in GE Medical Devices

CISA has released an advisory for six high-severity CVEs for GE Carescape patient monitors, Apex Pro, and Clinical Information Center systems.

The US Cybersecurity and Infrastructure Agency (CISA) today issued an advisory for six high-severity security vulnerabilities in patient monitoring devices manufactured by GE Healthcare.

These flaws, collectively dubbed "MDhex," could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information (PHI). Their discovery began with CyberMDX security researchers investigating the CIC Pro, a common product among customers.

The CIC Pro is a workstation that hospital staff use to view their patients' physiological data, waveforms, and demographics. Data is transmitted from multiple patient-side monitors and collected through a shared network. CIC Pro may be used to centrally manage patient monitors for things such as admission, date and time synchronization, and setting alarm limits.

Researchers started the investigation when they noticed CIC Pro devices in the field had open ports running an outdated and potentially problematic version of Webmin. "It was allowing incoming traffic on a range of management ports," says head of research Elad Luz. "With that [discovery], we thought we'd do an in-depth examination of that product ourselves."

Their analysis led to a total of six severe vulnerabilities, as listed in CISA's advisory. Five were assigned a CVSS maximum severity score of 10: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, CVE-2020-6966, and CVE-2020-6962. The sixth, CVE-2020-6965, was given a high-severity score of 8.5. MDhex was reported to GE on September 18, 2019, and is being formally disclosed today after a period of collaboration among GE, CISA, and CyberMDX to confirm and evaluate the vulnerabilities.

The popular Carescape product line, launched in 2007, has been adopted by hospitals around the world. Products affected by these vulnerabilities include certain versions of the Carescape CIC, Apex Telemetry Server/Tower, Central Station (CSCS) Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. GE did not disclose the number of affected devices; however, CyberMDX believes the installed base is in the hundreds of thousands.

Inside a hospital, these devices are deployed on a network they share with other monitoring equipment, which also consists of vulnerable devices. If a hospital has one of these affected products, they likely have the others, Luz points out.

Each flaw exists in a different aspect of device design and configuration. CVE-2020-6961 is an SSH vulnerability. An SSH server configuration typically holds a file holding public keys of entities authorized to connect. In vulnerable devices, the configuration also has a private key — which is the same across the entire medical product line.

"The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products," researchers write in a blog post. "Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device's very availability as well as the confidentiality and integrity of any data it holds."

The issue of hard-coded credentials also exists in Microsoft Server Message Block vulnerability CVE-2020-6963. Credentials underlying this flaw can be accessed by doing password recovery on the Window XP operating system of affected devices. With these credentials, an attacker could break into other devices. CVE-2020-6964 exists in MultiMouse/Kavoon KM software, which enables remote keyboard, mouse, and clipboard control of a device. The bug could let an attacker abuse this functionality and take over devices without any credential controls to alter device settings and change data.

VNC vulnerability CVE-2020-6966 enables remote control in VNC, a software used for remote desktop access. Credentials for this are insecurely stored and can be found in publicly available and easily searchable product documentation. CVE-2020-6962 pertains to the deprecated version of Webmin (1.2.5) in affected devices, which are exposed to known exploits in the wild.

These vulnerabilities generated the highest scores because they easily allow hackers to do remote code execution, which Luz considers "the endgame" for the majority of cyberattacks.

"Once you gain that remote code execution, you can [alter] the device functionality, perhaps make it unusable, perhaps make it display false data, things like that," he explains. While it's not clear why an attacker might target a specific medical device, the level of access granted by these vulnerabilities could enable a large-scale ransomware attack on a healthcare target.

GE plans to provide patches and additional security information for affected users over the coming months. Users can check its website for more updates or contact the company directly. In the meantime, mitigations are offered in the CyberMDX blog post.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...