Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/23/2020
01:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Severe Vulnerabilities Discovered in GE Medical Devices

CISA has released an advisory for six high-severity CVEs for GE Carescape patient monitors, Apex Pro, and Clinical Information Center systems.

The US Cybersecurity and Infrastructure Agency (CISA) today issued an advisory for six high-severity security vulnerabilities in patient monitoring devices manufactured by GE Healthcare.

These flaws, collectively dubbed "MDhex," could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information (PHI). Their discovery began with CyberMDX security researchers investigating the CIC Pro, a common product among customers.

The CIC Pro is a workstation that hospital staff use to view their patients' physiological data, waveforms, and demographics. Data is transmitted from multiple patient-side monitors and collected through a shared network. CIC Pro may be used to centrally manage patient monitors for things such as admission, date and time synchronization, and setting alarm limits.

Researchers started the investigation when they noticed CIC Pro devices in the field had open ports running an outdated and potentially problematic version of Webmin. "It was allowing incoming traffic on a range of management ports," says head of research Elad Luz. "With that [discovery], we thought we'd do an in-depth examination of that product ourselves."

Their analysis led to a total of six severe vulnerabilities, as listed in CISA's advisory. Five were assigned a CVSS maximum severity score of 10: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, CVE-2020-6966, and CVE-2020-6962. The sixth, CVE-2020-6965, was given a high-severity score of 8.5. MDhex was reported to GE on September 18, 2019, and is being formally disclosed today after a period of collaboration among GE, CISA, and CyberMDX to confirm and evaluate the vulnerabilities.

The popular Carescape product line, launched in 2007, has been adopted by hospitals around the world. Products affected by these vulnerabilities include certain versions of the Carescape CIC, Apex Telemetry Server/Tower, Central Station (CSCS) Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. GE did not disclose the number of affected devices; however, CyberMDX believes the installed base is in the hundreds of thousands.

Inside a hospital, these devices are deployed on a network they share with other monitoring equipment, which also consists of vulnerable devices. If a hospital has one of these affected products, they likely have the others, Luz points out.

Each flaw exists in a different aspect of device design and configuration. CVE-2020-6961 is an SSH vulnerability. An SSH server configuration typically holds a file holding public keys of entities authorized to connect. In vulnerable devices, the configuration also has a private key — which is the same across the entire medical product line.

"The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products," researchers write in a blog post. "Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device's very availability as well as the confidentiality and integrity of any data it holds."

The issue of hard-coded credentials also exists in Microsoft Server Message Block vulnerability CVE-2020-6963. Credentials underlying this flaw can be accessed by doing password recovery on the Window XP operating system of affected devices. With these credentials, an attacker could break into other devices. CVE-2020-6964 exists in MultiMouse/Kavoon KM software, which enables remote keyboard, mouse, and clipboard control of a device. The bug could let an attacker abuse this functionality and take over devices without any credential controls to alter device settings and change data.

VNC vulnerability CVE-2020-6966 enables remote control in VNC, a software used for remote desktop access. Credentials for this are insecurely stored and can be found in publicly available and easily searchable product documentation. CVE-2020-6962 pertains to the deprecated version of Webmin (1.2.5) in affected devices, which are exposed to known exploits in the wild.

These vulnerabilities generated the highest scores because they easily allow hackers to do remote code execution, which Luz considers "the endgame" for the majority of cyberattacks.

"Once you gain that remote code execution, you can [alter] the device functionality, perhaps make it unusable, perhaps make it display false data, things like that," he explains. While it's not clear why an attacker might target a specific medical device, the level of access granted by these vulnerabilities could enable a large-scale ransomware attack on a healthcare target.

GE plans to provide patches and additional security information for affected users over the coming months. Users can check its website for more updates or contact the company directly. In the meantime, mitigations are offered in the CyberMDX blog post.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.