CT icon purple 1000x1000

Vulnerability Research & Disclosures

 

CyberMDX Research Team Discovers Vulnerability in GE LightSpeed, Revolution, and other CT, MRI, and X-Ray imaging systems

CISA Advisory (ICSMA-20-343-01)

 

MDhex-Ray Background

MDhex-Ray is a vulnerability discovered by CyberMDX and published by CISA on the 8th of December 2020 as CVE-2020-25179. MDhex-Ray affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare.

Successfully exploiting the vulnerability may expose sensitive data - such as PHI - or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.

The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score. Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it.

More than 100 devices are affected by this vulnerability across the following product lines:

Modality Product Families
MRI Signa, Brivo, Optima
Ultrasound LOGIQ, Vivid, EchoPAC, Image Vault, Voluson
Advanced Visualization AW
Interventional Innova, Optima
X-Ray Brivo, Definium, AMX, Discovery, Optima, Precision
Mammography Seno, Senographe Pristina
Computed Tomography BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier
Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace

 

GE Management Software Vulnerability (CVE-2020-25179)

Risk Level: A maximum severity score of 9.8 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported: May, 2020
CISA Advisory date: December 8, 2020

 

Vulnerability Details

Default credentials used on GE proprietary management software

The affected modalities have an integrated PC running a Unix-based operating system. On top of its operating system, the modalities have proprietary software installed that manages the device as well as its maintenance and update procedures done by GE from the internet.

The update and maintenance software authenticates connections by using credentials that are publicly exposed (can be found online) and does so periodically with GE’s online maintenance servers.

The credentials can only be updated by the GE Healthcare Support team. If not updated through a customer request - credentials are left default.

Having HDOs not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers.

 

Mitigations and Recommendations

Contact GE Healthcare and request credentials change on all affected devices in your facility. Note – the credentials change can ONLY be performed by the GE Healthcare Support team. Customers do not have the ability to change them at this time.

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly.

Additionally, you should implement a network policy that restricts the following ports for the affected devices to be available only for GE maintenance servers:

  • FTP (port 21) - used by the modality to obtain executable files from the maintenance server
  • SSH (port 22)
  • Telnet (port 23) - used by the maintenance server to run shell commands on the modality
  • REXEC (port 512) - used by the maintenance server to run shell commands on the modality

 


 

Credit

Elad Luz, Head of Research at CyberMDX
Lior Bar Yosef, Cyber Security Analyst

About the CyberMDX Cybersecurity Research and Analysis Team

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.

About CyberMDX

A pioneer in medical cyber security, CyberMDX is the company behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and protects connected medical devices — ensuring resiliency as well as patient safety and data privacy. With CyberMDX’s continuous endpoint discovery & mapping, comprehensive risk assessment, AI-powered containment & response, and operational analytics, risks are easily mitigated and assets optimized. For more information, please click here.