Hospital Devices- The Feds have warned on six vulnerabilities in GE medical equipment that could affect patient monitor alarms and more.
A collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals has been discovered. Dubbed “MDhex” by the researchers at CyberMDX who discovered them, the bugs would allow attackers to disable the devices, harvest personal health information (PHI), change alarm settings and alter device functionality.
According to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which disclosed the bugs on Thursday, the six different design flaws are present in the GE CARESCAPE product line.
Affected products include certain versions of the CARESCAPE Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, B450 patient monitor, B650 patient monitor, and B850 patient monitor.
“Launched in 2007, the CARESCAPE product line is extremely popular and has seen adoption in hospitals across the globe,” CyberMDX noted in a statement sent to Threatpost. “Though GE declined to comment on the precise number of affected devices in use globally, the installed base is believed to be in the hundreds of thousands.”
Five of the bugs have CVSS (v3.1) scores of 10, making them critical in severity:
- CVE-2020-6961, which could allow an attacker to obtain access to the SSH private key in configuration files thanks to improper storage;
- CVE-2020-6962, which is an improper input validation bug that exists in the products’ web-based system configuration utility. Exploitation could allow an attacker to obtain arbitrary remote code execution (RCE);
- CVE-2020-6963, which enables rogue SMB (Windows file-share) connections as a result of credentials being hardcoded in Windows XP Embedded (XPe) operating system. This also would allow RCE;
- CVE-2020-6964, which exists in the integrated service for keyboard switching of the affected devices. Missing authentication means that attackers can obtain remote keyboard input access;