The US Cybersecurity and Infrastructure Agency (CISA) today issued an advisory for six high-severity security vulnerabilities in patient monitoring devices manufactured by GE Healthcare.
These flaws, collectively dubbed "MDhex," could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information (PHI). Their discovery began with CyberMDX security researchers investigating the CIC Pro, a common product among customers.
The CIC Pro is a workstation that hospital staff use to view their patients' physiological data, waveforms, and demographics. Data is transmitted from multiple patient-side monitors and collected through a shared network. CIC Pro may be used to centrally manage patient monitors for things such as admission, date and time synchronization, and setting alarm limits.
Researchers started the investigation when they noticed CIC Pro devices in the field had open ports running an outdated and potentially problematic version of Webmin. "It was allowing incoming traffic on a range of management ports," says head of research Elad Luz. "With that [discovery], we thought we'd do an in-depth examination of that product ourselves."
Their analysis led to a total of six severe vulnerabilities, as listed in CISA's advisory. Five were assigned a CVSS maximum severity score of 10: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, CVE-2020-6966, and CVE-2020-6962. The sixth, CVE-2020-6965, was given a high-severity score of 8.5. MDhex was reported to GE on September 18, 2019, and is being formally disclosed today after a period of collaboration among GE, CISA, and CyberMDX to confirm and evaluate the vulnerabilities.
The popular Carescape product line, launched in 2007, has been adopted by hospitals around the world. Products affected by these vulnerabilities include certain versions of the Carescape CIC, Apex Telemetry Server/Tower, Central Station (CSCS) Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. GE did not disclose the number of affected devices; however, CyberMDX believes the installed base is in the hundreds of thousands.
Inside a hospital, these devices are deployed on a network they share with other monitoring equipment, which also consists of vulnerable devices. If a hospital has one of these affected products, they likely have the others, Luz points out.
Each flaw exists in a different aspect of device design and configuration. CVE-2020-6961 is an SSH vulnerability. An SSH server configuration typically holds a file holding public keys of entities authorized to connect. In vulnerable devices, the configuration also has a private key — which is the same across the entire medical product line.
"The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products," researchers write in a blog post. "Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device's very availability as well as the confidentiality and integrity of any data it holds."
The issue of hard-coded credentials also exists in Microsoft Server Message Block vulnerability CVE-2020-6963. Credentials underlying this flaw can be accessed by doing password recovery on the Window XP operating system of affected devices. With these credentials, an attacker could break into other devices. CVE-2020-6964 exists in MultiMouse/Kavoon KM software, which enables remote keyboard, mouse, and clipboard control of a device. The bug could let an attacker abuse this functionality and take over devices without any credential controls to alter device settings and change data.
VNC vulnerability CVE-2020-6966 enables remote control in VNC, a software used for remote desktop access. Credentials for this are insecurely stored and can be found in publicly available and easily searchable product documentation. CVE-2020-6962 pertains to the deprecated version of Webmin (1.2.5) in affected devices, which are exposed to known exploits in the wild.
These vulnerabilities generated the highest scores because they easily allow hackers to do remote code execution, which Luz considers "the endgame" for the majority of cyberattacks.
"Once you gain that remote code execution, you can [alter] the device functionality, perhaps make it unusable, perhaps make it display false data, things like that," he explains. While it's not clear why an attacker might target a specific medical device, the level of access granted by these vulnerabilities could enable a large-scale ransomware attack on a healthcare target.
GE plans to provide patches and additional security information for affected users over the coming months. Users can check its website for more updates or contact the company directly. In the meantime, mitigations are offered in the CyberMDX blog post.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."