GE Healthcare Patient Monitoring Products Affected by Critical ‘MDHex’ Vulnerabilities

A security researcher at CyberMDX identified critical vulnerabilities in GE Healthcare patient monitoring equipment.

CyberMDX Head of Research, Elad Luz, discovered six vulnerabilities, with five rated as critical and one rated as high severity. The assigned CVSS v3 score of the five critical vulnerabilities was 10 out of 10. The assigned CVSS v3 score for the other vulnerability was 8.5 out of 10.

Attackers exploiting the vulnerabilities could make the affected products useless. The functionality of vulnerable products could be modified remotely. The alarm settings could be disabled and stored protected health information (PHI) in the device could be stolen.

The first product investigated by CyberMDX was the CARESCAPE Clinical Information Center (CIC) Pro product, however, it was found out that the vulnerabilities affected patient monitors, telemetry systems and servers. The vulnerabilities were altogether called MDHex and were labeled as CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966. GE Healthcare confirmed the potentially serious consequences of the vulnerabilities to patients when hundreds of thousands of products are exploited.

CVE-2020-6961 (CVSS 10.0) – this vulnerability allows exploitation of the unsecured storage of credentials (CWE-256). An attacker exploiting the vulnerability could get the SSH private key from the configuration files through an SSH connection and wirelessly execute arbitrary code on affected products. All vulnerable products share the same SSH key.

CVE-2020-6962 (CVSS 10.0) – this vulnerability exploits the input validation vulnerability (CWE-20) found in the configuration utility of the networked system. It allows an attacker to execute arbitrary code remotely.

CVE-2020-6963 (CVSS 10.0) – this vulnerability is concerned with the usage of hard-coded Server Message Block (SMB) credentials (CWE-798). It allows an attacker to set up an SMB link and read and/or write files within the system. The SMB credentials can be acquired by means of the password recovery tool of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) – this vulnerability exploits the insufficient authentication for critical function (CWE-306) of the incorporated Kavoom! Keyboard/mouse software program. If an attacker exploits this vulnerability, remotely inputting keystrokes and changing device configurations on all affected devices on the network are possible even with no authentication.

CVE-2020- 6965 (CVSS 8.5) – this vulnerability is because of the inability to limit the upload of unsafe file types (CWE-434). It allows an attacker to upload arbitrary files via the software update facility.

CVE-2020-6966 (CVSS 10.0) – this vulnerability exploits weak encryption (CWE-326). With weak encryption, an attacker acquires remote desktop control via the VNC software to remotely execute code on vulnerable connected devices. The required credentials can likewise be acquired from product documentation available to the public.

Based on the latest ICS-CERT Advisory, the vulnerabilities affect the following GE Healthcare products:

  • ApexPro Telemetry Server, Versions 4.2 and earlier versions
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Versions 4.2 and earlier versions
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • CARESCAPE Telemetry Server, Version 4.3
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is presently creating patches to fix vulnerable devices. The patches will be available in Q2 of 2020. Meanwhile, GE Healthcare has released recommended mitigations to minimize the threat of vulnerabilities exploitation.

Healthcare providers must carry out basic network security guidelines and make sure to configure the mission critical (MC) and information exchange (IX) networks correctly and satisfy the conditions established in the CARESCAPE Network Configuration Guide, Patient Monitoring Network Configuration Guide, and product technical and service manuals.

Use a router or firewall if connectivity outside the MC and/or IX networks is necessary. GE Healthcare advises blocking all inbound traffic from beyond the network at the MC and IX router firewall, except if needed for clinical data flows. The listed ports must be blocked so that traffic from outside the MC and IX network don’t get through:

  • TCP Port 22 for SSH and TCP
  • UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB
  • TCP Ports 10000, 5225, 5800, 5900, and 10001

Limit physical access to Telemetry Servers, Central Stations, and the MC and IX networks. Follow password management guidelines and change default passwords for Webmin.

It is believed that no exploits for the vulnerabilities were made public. GE Healthcare is not aware of any attempts of cyberattacks or patient injury resulting from the vulnerabilities.