MDhex-Ray is a vulnerability discovered by CyberMDX and published by CISA on the 8th of December 2020 as CVE-2020-25179. MDhex-Ray affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare.
Successfully exploiting the vulnerability may expose sensitive data – such as PHI – or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.
The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score. Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it.
More than 100 devices are affected by this vulnerability across the following product lines:
|MRI||Signa, Brivo, Optima|
|Ultrasound||LOGIQ, Vivid, EchoPAC, Image Vault, Voluson|
|X-Ray||Brivo, Definium, AMX, Discovery, Optima, Precision|
|Mammography||Seno, Senographe Pristina|
|Computed Tomography||BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier|
|Nuclear Medicine, PET/CT||Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace|
|Risk Level:||A maximum severity score of 9.8 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
|Date Reported:||May, 2020|
|CISA Advisory date:||December 8, 2020|
The affected modalities have an integrated PC running a Unix-based operating system. On top of its operating system, the modalities have proprietary software installed that manages the device as well as its maintenance and update procedures done by GE from the internet.
The update and maintenance software authenticates connections by using credentials that are publicly exposed (can be found online) and does so periodically with GE’s online maintenance servers.
The credentials can only be updated by the GE Healthcare Support team. If not updated through a customer request – credentials are left default.
Having HDOs not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers.
Contact GE Healthcare and request credentials change on all affected devices in your facility. Note – the credentials change can ONLY be performed by the GE Healthcare Support team. Customers do not have the ability to change them at this time.
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly.
Additionally, you should implement a network policy that restricts the following ports for the affected devices to be available only for GE maintenance servers:
Elad Luz, Head of Research at CyberMDX
Lior Bar Yosef, Cyber Security Analyst
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.