Severe MDHexRay Bug Affects 100+ GE Healthcare Imaging systems
A vulnerability in GE Healthcare’s proprietary management software used for medical imaging devices could put patients’ health privacy at risk, potentially their lives.
The flaw received the name MDHexRay (CVE-2020-25179) and a severity score of 9.8 out of 10. It affects more than 100 CT, X-Ray, MRI device models in a dozen product lines from the company.
Devices in two dozen families affected
GE’s closed source management software runs on top of the Unix-based operating system installed on medical imaging systems to enable remote maintenance and update procedures.
The MDHexRay vulnerability consists in using default credentials on every installation of the this software to authenticate to GE’s servers for update and maintenance tasks. The credentials are publicly available.
Healthcare cybersecurity company CyberMDX discovered and named the vulnerability. The researchers reported the flaw towards the end of May 2020 and have been assisting GE Healthcare in finding a mitigation solution.
Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service
In the initial disclosure to GE, several families of affected devices were identified. Since then, more than 100 have been discovered. In a report shared with BleepingComputer, CyberMDX says that the following product lines are vulnerable:
| Modality | Product Families |
| MRI | Signa, Brivo, Optima |
| Ultrasound | LOGIQ, Vivid, EchoPAC, Image Vault, Voluson |
| Advanced Visualization | AW |
| Interventional | Innova, Optima |
| X-Ray | Brivo, Definium, AMX, Discovery, Optima, Precision |
| Mammography | Seno, Senographe Pristina |
| Computed Tomography | BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier |
| Nuclear Medicine, PET/CT | Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace |
Mitigating the issue
Changing these authentication details is possible only from the manufacturer’s end, when customers request it through GE Healthcare’s Support system.
It is unclear how many customers made this request, if any. Elad Luz head of research at CyberMDX, told BleepingComputer that GE recently started to notify customers through emails and letters, letting them know of the security risk.
A quicker and easier approach, at least in theory, would be for GE to initiate a credential reset and inform its customers in advance. This is easier said than done, though.
Luz told us that one solution discussed with GE was to change the password through remote maintenance sessions that use a secure protocol (reliable authentication and encryption support).
The researcher says that this method would not be feasible because it would require a patch. Given the large number of vulnerable devices, this would be a difficult challenge. Furthermore, even with a patch, it would still take years for it to reach the entire customer base, Luz says.
With medical devices, sometimes on-premise assistance is needed to make sure that everything is set up properly, especially firewall rules.
Until the password is changed, facilities with vulnerable devices should follow network management (access policies) and security best practices. CyberMDX recommends restricting the ports below to listening state:
- FTP (port 21) -used by the modality to obtain executable files from the maintenance server
- SSH (port 22)
- Telnet (port 23) -used by the maintenance server to run shell commands on the modality
- REXEC (port 512) -used by the maintenance server to run shell commands on the modality
Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?
Exploiting MDHexRay is pretty straightforward, Luz told us. It is possible from a hospital’s or clinic’s internal network and gives an attacker read and write access to the vulnerable imaging machine, the researcher added.
What the adversary might get is personal health information but they can also manipulate the data, thus influencing the results of a certain therapy, the researcher told us. The possibility of denial of service also exists.
It is worth noting that imaging data resides on the machine only temporarily as its permanent storage is in the picture archiving and communication system (PACS).
At this time there is no indication that MDHexRay has been exploited in the wild. BleepingComputer reached out to GE Healthcare for a statement and the company confirmed that it is not aware of any incident that leveraged this vulnerability.
“We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”
CISA published an advisory today with details on how hospitals and clinics with vulnerable GE Healthcare imaging systems can defend against adversaries that may attempt to exploit the MDHexRay default credentials vulnerability.
The cybersecurity agency says that GE has come up with a solution to MDHexRay and the company ” and will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible.”
The recommendation for affected organizations is to isolate the hospital/clinical network and enforce strict access rules based on connection source, destination IP, and port (TELNET, FTP, REXEC, and SSH). Another advice is to use IPSec VPN and explicit access rules at edge gateways before forwarding incoming connections to the local network.
0 Comments