Security researchers from CyberMDX, a cyber-security company specialized in healthcare security, have disclosed today technical details about six vulnerabilities they are collectively referring to as MDhex.
The vulnerabilities impact seven GE Healthcare devices meant for patient vital signs monitoring. These are devices installed near patient beds, meant to collect data from sick patients, and send it back to a telemetry server, monitored by clinical staff. Per CyberMDX, impacted GE Healthcare devices include:
- Central Information Center (CIC), versions 4.x and 5.x
- CARESCAPE Central Station (CSCS), versions 1.x and 2.x
- CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
- Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
- B450 patient monitor, version 2.x
- B650 patient monitor, versions 1.x and 2.x
- B850 patient monitor, versions 1.x and 2.x
The MDhex security flaws, according to CyberMDX experts, allow an attacker with access to a hospital’s network to take over vulnerable patient monitors and/or telemetry aggregation servers, and then silence alerts, putting patient lives at risk.
Besides the CyberMDX advisory, the Department of Homeland Security has also published security advisories today meant to warn healthcare providers about the MDhex vulnerabilities.
The DHS CISA and FDA advisories contain mitigations that hospitals and clinics can deploy to prevent attackers from exploiting the devices. The general advice is to place these devices on their own separate networks, not connected to the internet, and isolated from any other hospital systems.
Patches coming in Q2 2020
Patches are not available at the time of writing. A GE Healthcare spokesperson told ZDNet in an email this week that the company plans to release software updates in Q2 2020 to address the reported MDhex issues.
According to CyberMDX experts, the vulnerabilities are as bad as they can be, with five out of the six MDhex bugs receiving a rating of 10 out of 10 on the CVSSv3 severity scale.
|CVE-2020-6961||10/10||SSH private key included on devices. Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device’s very availability as well as the confidentiality and integrity of any data it holds.|
|CVE-2020-6962||10/10||Using hard-coded SMB credentials that are universally shared across an entire line of devices in the CARESCAPE and GE Health family of products, an attacker could establish a remote SMB connection and receive read/write access to all files on the system.|
|CVE-2020-6963||10/10||MultiMouse / Kavoom KM software can be run to allow remote keyboard/mouse and clipboard control of a machine.|
|CVE-2020-6964||10/10||Hardcoded VNC credentials are included with the affected GE devices.|
|CVE-2020-6965||10/10||Affected GE Healthcare devices come pre-installed with a Webmin (web management console) version that contains known vulnerabilities.|
|CVE-2020-6966||8.5/10||GE devices come pre-loaded with a software update manager to facilitate the remote deployment of updates. This software update manager allows remote file upload.|
However, a GE Healthcare spokesperson disputed the severity ratings, contesting that “in properly configured situations, application of a recommended environmental score modification would land the vulnerabilities at a Common Vulnerability Scoring System (CVSS) score of 8.2,” and not 10/10.
The healthcare device vendor also says that if vendors configure these devices properly, on isolated networks, the danger is much lower to hospitals and their patients.
Hospitals have been notified since last year
GE Healthcare has known about these bugs since last year, and even before today’s public disclosure, it has been working to reduce its impact by secretly warning hospitals in advance.
“GE Healthcare began sending letters to customers globally on November 12, 2019, which reminds users of the proper configuration of the patient monitor networks,” a GE spokesperson told ZDNet.
“We are advising our customers to ensure their networks are properly configured and isolated to protect against these potential concerns and mitigate the risk.”
GE Healthcare said it also plans to publish these mitigations on its web portal’s security section, to make them broadly available.
At the time of writing, the vendor said it was “not aware of any incidents where these vulnerabilities have been exploited in a clinical situation.”
This is the second major set of vulnerabilities GE Healthcare has dealt with during the past year. CyberMDX found security flaws in several of the company’s anesthesia machines last year.