Critical Vulnerabilities Found in Over 100 GE Healthcare Imaging and Ultrasound Devices

  • Two critical severity vulnerabilities found in GE Healthcare medical imaging products may permit remote code execution and access/change of sensitive patient information. The vulnerabilities impact GE Healthcare’s exclusive management software program and impact over 100 GE Healthcare imaging gadgets which include MRI, Advanced Visualization, Ultrasound, Interventional, Mammography, X-Ray, Computed Tomography, PET/CT and Nuclear Medicine devices
    .
    GE Healthcare products affected by the vulnerabilities include:
  • Ultrasound Devices – Image Vault, EchoPAC, LOGIQ, Voluson, Vivid
  • MRI Devices – Brivo, Optima, Signa
  • Advanced Visualization Device – AW
  • X-Ray Devices – AMX, Brivo, Discovery, Definium, Optima, Precision
  • Interventional Devices – Optima, Innova
  • Mammography Devices – Seno, Senographe Pristina
  • Nuclear Medicine, PET/CT Devices – Brivo, Discovery, PET Discovery, Infinia Optima, PETtrace, Ventri, Xeleris
    Computed Tomography Devices – Brivo, BrightSpeed, Discovery, Frontier Optima, LightSpeed, Revolution

Researchers Lior Bar Yosef and Elad Luz of CyberMDX discovered the vulnerabilities and notified GE Healthcare last May 2020. CyberMDX has referred to the vulnerabilities as MDHexRay. The two vulnerabilities have an assigned CVSS v3 base rating of 9.8 of 10.

The first vulnerability CVE-2020-25175 is caused by unsecured transport of credentials via the network. The second vulnerability is caused by the exposure of sensitive system data to an unapproved control sphere, which may permit the access or alteration of sensitive data.

The CyberMDX researchers determined that GE Healthcare’s servicing practices depended on having selected ports open and available to GE Healthcare so that the devices could be managed remotely via the web. Although credentials are necessary for updating and maintaining the software, GE Healthcare only modifies the default credentials when a customer makes the request. Anyone can easily find the default credentials of GE Healthcare online. The number of customers that requested the change of the default credentials is unknown.

An attacker could only exploit the vulnerabilities when connected to the network of the hospital. The default credentials can then be utilized to get access to vulnerable linked imaging devices including the data saved on the devices. Unauthorized users cannot access medical devices if they don’t get access to the internal network of the hospital. No report indicated the exploit of the vulnerabilities in the wild.

GE Healthcare has evaluated the vulnerabilities and performed a risk assessment and confirmed that there are no patient safety issues; nevertheless, the vulnerabilities present a risk to patient privacy. An attacker could also alter patient data that may affect the results of some treatments. Considering that data only stays on the imaging devices for a finite amount of time prior to being transmitted to PACS, the potential compromise of patient data is limited.

Because no patch to fix the vulnerabilities is available yet, mitigation steps include modifying the default password, which only GE Healthcare can do. GE Healthcare is currently informing its customers and is assisting the affected clients to alter the default password and make sure firewalls of their product are set up correctly. Customers are likewise being instructed to follow guidelines for network management and security. CyberMDX suggests setting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listen-only mode.