CyberMDX researchers uncovered a severe vulnerability in over 100 imaging and surgical devices made by GE Healthcare. The affected parties can mitigate the risk by following network segmentation, advises CISA.
Researchers at CyberMDX found a critically severe vulnerability in multiple imaging devices developed by GE Healthcare. The vulnerability resides in the radiology equipment’s maintenance protocols, which, if exploited, risks exposure of sensitive patient data such as personal health information (PHI). The attackers can access the dataOpens a new window and alter it through arbitrary code execution and jeopardize the devices’ availability and functioning.
Dubbed MDhex-Ray by CyberMDX, the vulnerability is tracked as CVE-2020-25179Opens a new window and scored 9.8 on the CVSS index. The bug affects more than a hundred radiology devices such as CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-ray machines, and ultrasound devices across the following product lines:
| Modality | Product Families |
| MRI | Signa, Brivo, Optima |
| Ultrasound | LOGIQ, Vivid, EchoPAC, Image Vault, Voluson |
| Advanced Visualization | AW |
| Interventional | Innova, Optima |
| X-Ray | Brivo, Definium, AMX, Discovery, Optima, Precision |
| Mammography | Seno, Senographe Pristina |
| Computed Tomography | BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier |
| Nuclear Medicine, PET/CT | Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace |
Â
See Also: 71% Health Apps Plagued by at Least One High-Level Vulnerability: Intertrust
“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,†said Elad LuzOpens a new window , Head of Research at CyberMDX.
Luz discovered the vulnerability with Cyber Security Analyst Lior Bar YosefOpens a new window in May 2020 when they noticed unsecured communications patterns between medical devices and the corresponding vendor servers.
What makes CVE-2020-25179 so dangerous is the relative ease with which it can be exploited. CyberMDX explained that the vulnerable devices have an internet-facing Unix-based OS along with proprietary software that GE Healthcare uses to carry out maintenance and update procedures remotely. Additionally, a lot of these devices have default passwords which are publicly exposed, and therefore need to be updated.
CyberMDX explained, “Having HDOs [Healthcare Delivery OrganizationsOpens a new window ] not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers.â€
Mitigating the Threat
Firstly, all affected parties need to request an update of credentials, which can only be performed by the GE Healthcare Support team.
GE Healthcare also plans to patch affected systems, but that may take years. Meanwhile, Cybersecurity and Infrastructure Security Agency (CISA) has advisedOpens a new window hospitals and clinical facilities to follow network segmentation and implement strict access rules for all connections.
CyberMDX suggests allocating the following network ports specifically for device maintenance:
- FTP (port 21)
- SSH (port 22)
- Telnet (port 23)
- REXEC (port 512)
There have been no reports about exploitation so far. GE Healthcare told BleepingComputerOpens a new window , “We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!