GE Radiology Vulnerability
Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in GE LightSpeed, Revolution, and other CT, MRI, and X-Ray imaging systems
CISA Advisory (ICSMA-20-343-01)
MDhex-Ray Background
MDhex-Ray is a vulnerability discovered by Vedere Labs (formerly CyberMDX) and published by CISA on the 8th of December 2020 as CVE-2020-25179. MDhex-Ray affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare.
Successfully exploiting the vulnerability may expose sensitive data – such as PHI – or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.
The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score. Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it.
More than 100 devices are affected by this vulnerability across the following product lines:
| Modality | Product Families |
|---|---|
| MRI | Signa, Brivo, Optima |
| Ultrasound | LOGIQ, Vivid, EchoPAC, Image Vault, Voluson |
| Advanced Visualization | AW |
| Interventional | Innova, Optima |
| X-Ray | Brivo, Definium, AMX, Discovery, Optima, Precision |
| Mammography | Seno, Senographe Pristina |
| Computed Tomography | BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier |
| Nuclear Medicine, PET/CT | Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace |
GE Management Software Vulnerability (CVE-2020-25179)
| Risk Level: | A maximum severity score of 9.8 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported: | May, 2020 |
| CISA Advisory date: | December 8, 2020 |
Vulnerability Details
Default credentials used on GE proprietary management software
The affected modalities have an integrated PC running a Unix-based operating system. On top of its operating system, the modalities have proprietary software installed that manages the device as well as its maintenance and update procedures done by GE from the internet.
The update and maintenance software authenticates connections by using credentials that are publicly exposed (can be found online) and does so periodically with GE’s online maintenance servers.
The credentials can only be updated by the GE Healthcare Support team. If not updated through a customer request – credentials are left default.
Having HDOs not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers.
Mitigations and Recommendations
Contact GE Healthcare and request credentials change on all affected devices in your facility. Note – the credentials change can ONLY be performed by the GE Healthcare Support team. Customers do not have the ability to change them at this time.
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly.
Additionally, you should implement a network policy that restricts the following ports for the affected devices to be available only for GE maintenance servers:
- FTP (port 21) – used by the modality to obtain executable files from the maintenance server
- SSH (port 22)
- Telnet (port 23) – used by the maintenance server to run shell commands on the modality
- REXEC (port 512) – used by the maintenance server to run shell commands on the modality
Credit
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Lior Bar Yosef, Cyber Security Analyst
Forescout Products
Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.