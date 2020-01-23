GE Healthcare Carescape CIC Pro workstation

Image: GE Healthcare

CyberMDX security researchers, a cyber security company specializing in healthcare security, today announced technical details of six vulnerabilities that they collectively refer to as MDhex.

The vulnerabilities affect seven GE Healthcare devices designed to monitor the vital functions of the patient. These are devices that are installed near patient beds, intended to collect data from sick patients and send it back to a telemetry server controlled by clinical staff. Per CyberMDX affected GE Healthcare devices include:

Central Information Center (CIC), versions 4.x and 5.x

CARESCAPE Central Station (CSCS), versions 1.x and 2.x

CARESCAPE Telemetry server, versions 4.3, 4.2 and earlier

Apex Pro Telemetry Server / Tower, versions 4.2 and earlier

B450 patient monitor, version 2.x

B650 patient monitor, versions 1.x and 2.x

B850 patient monitor, versions 1.x and 2.x

According to CyberMDX experts, the MDhex vulnerabilities allow an attacker with access to a hospital network to take over vulnerable patient monitors and / or telemetry aggregation servers and then turn off alerts, endangering the patient’s life.

In addition to the CyberMDX advisory, the Department of Homeland Security has today also published security advisories to alert healthcare providers of MDhex vulnerabilities.

The CISA and FDA recommendations of DHS contain mitigations that hospitals and clinics can use to prevent attackers from operating the devices. The general advice is to place these devices on their own separate networks, not connected to the internet and isolated from other hospital systems.

Patches come in Q2 2020

Patches are not available at the time of writing. A GE Healthcare spokesperson told ZDNet this week in an email that the company plans to release software updates in Q2 2020 to address the reported MDhex issues.

According to CyberMDX experts, the vulnerabilities are as bad as they can be, with five of the six MDhex bugs receiving a 10 in 10 score on the severity scale of CVSSv3.

CPU

strictness

Description

CVE-2020-6961

10/10

SSH private key included on devices. The private key allows a remote attacker to access and execute code on these devices – possibly including the availability of the device, as well as the confidentiality and integrity of all data it contains.

CVE-2020-6962

10/10

Using hard-coded SMB credentials that are universally shared across a range of devices in the CARESCAPE and GE Health products, an attacker can establish an external SMB connection and gain read / write access to all files on the system.

CVE-2020-6963

10/10

MultiMouse / Kavoom KM software can be executed to enable external keyboard / mouse and clipboard control of a machine.

CVE-2020-6964

10/10

Harcoded VNC references are supplied with the relevant GE devices.

CVE-2020-6965

10/10

Affected GE Healthcare devices are pre-installed with a Webmin version (web management console) that contains known vulnerabilities.

CVE-2020-6966

8.5 / 10

GE devices are pre-delivered with a software update management to facilitate the implementation of remote updates. Files can be uploaded remotely with this software update manager.

However, a GE Healthcare spokesperson disputed the ernstratings and disputed that “in correctly configured situations, applying a recommended environmental score adjustment would bring vulnerabilities to a Common Vulnerability Scoring System (CVSS) score of 8.2” and not to 10 / 10.

The supplier of healthcare devices also says that if vendors configure these devices correctly, on isolated networks, the danger is much smaller for hospitals and their patients.

Hospitals have been notified since last year

GE Healthcare has been aware of these bugs since last year, and even before today’s disclosure, it has been working to reduce their impact by secretly warning hospitals in advance.

“GE Healthcare began sending letters to customers worldwide on November 12, 2019, reminding users of the correct configuration of patient monitor networks,” a GE spokesperson told ZDNet.

“We advise our customers to ensure that their networks are correctly configured and isolated to protect against these potential problems and to limit the risk.”

GE Healthcare said it is also planning to publish these restrictive measures on the security section of its web portal to make them widely available.

At the time of writing, the seller said he was “unaware of incidents where these vulnerabilities have been exploited in a clinical situation.”

This is the second major set of vulnerabilities that GE Healthcare has tackled in the past year. CyberMDX found security errors last year in various anesthesia equipment of the company.