Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/23/2020
01:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Severe Vulnerabilities Discovered in GE Medical Devices

CISA has released an advisory for six high-severity CVEs for GE Carescape patient monitors, Apex Pro, and Clinical Information Center systems.

The US Cybersecurity and Infrastructure Agency (CISA) today issued an advisory for six high-severity security vulnerabilities in patient monitoring devices manufactured by GE Healthcare.

These flaws, collectively dubbed "MDhex," could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information (PHI). Their discovery began with CyberMDX security researchers investigating the CIC Pro, a common product among customers.

The CIC Pro is a workstation that hospital staff use to view their patients' physiological data, waveforms, and demographics. Data is transmitted from multiple patient-side monitors and collected through a shared network. CIC Pro may be used to centrally manage patient monitors for things such as admission, date and time synchronization, and setting alarm limits.

Researchers started the investigation when they noticed CIC Pro devices in the field had open ports running an outdated and potentially problematic version of Webmin. "It was allowing incoming traffic on a range of management ports," says head of research Elad Luz. "With that [discovery], we thought we'd do an in-depth examination of that product ourselves."

Their analysis led to a total of six severe vulnerabilities, as listed in CISA's advisory. Five were assigned a CVSS maximum severity score of 10: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, CVE-2020-6966, and CVE-2020-6962. The sixth, CVE-2020-6965, was given a high-severity score of 8.5. MDhex was reported to GE on September 18, 2019, and is being formally disclosed today after a period of collaboration among GE, CISA, and CyberMDX to confirm and evaluate the vulnerabilities.

The popular Carescape product line, launched in 2007, has been adopted by hospitals around the world. Products affected by these vulnerabilities include certain versions of the Carescape CIC, Apex Telemetry Server/Tower, Central Station (CSCS) Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor. GE did not disclose the number of affected devices; however, CyberMDX believes the installed base is in the hundreds of thousands.

Inside a hospital, these devices are deployed on a network they share with other monitoring equipment, which also consists of vulnerable devices. If a hospital has one of these affected products, they likely have the others, Luz points out.

Each flaw exists in a different aspect of device design and configuration. CVE-2020-6961 is an SSH vulnerability. An SSH server configuration typically holds a file holding public keys of entities authorized to connect. In vulnerable devices, the configuration also has a private key — which is the same across the entire medical product line.

"The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products," researchers write in a blog post. "Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device's very availability as well as the confidentiality and integrity of any data it holds."

The issue of hard-coded credentials also exists in Microsoft Server Message Block vulnerability CVE-2020-6963. Credentials underlying this flaw can be accessed by doing password recovery on the Window XP operating system of affected devices. With these credentials, an attacker could break into other devices. CVE-2020-6964 exists in MultiMouse/Kavoon KM software, which enables remote keyboard, mouse, and clipboard control of a device. The bug could let an attacker abuse this functionality and take over devices without any credential controls to alter device settings and change data.

VNC vulnerability CVE-2020-6966 enables remote control in VNC, a software used for remote desktop access. Credentials for this are insecurely stored and can be found in publicly available and easily searchable product documentation. CVE-2020-6962 pertains to the deprecated version of Webmin (1.2.5) in affected devices, which are exposed to known exploits in the wild.

These vulnerabilities generated the highest scores because they easily allow hackers to do remote code execution, which Luz considers "the endgame" for the majority of cyberattacks.

"Once you gain that remote code execution, you can [alter] the device functionality, perhaps make it unusable, perhaps make it display false data, things like that," he explains. While it's not clear why an attacker might target a specific medical device, the level of access granted by these vulnerabilities could enable a large-scale ransomware attack on a healthcare target.

GE plans to provide patches and additional security information for affected users over the coming months. Users can check its website for more updates or contact the company directly. In the meantime, mitigations are offered in the CyberMDX blog post.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
CVE-2020-13840
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
CVE-2020-13841
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).