Critical Vulnerability reported on GE Healthcare Imaging and Ultrasound products

Executive Summary

The US Cybersecurity & Infrastructure Security Agency has released an advisory today on GE Healthcare Imaging and Ultrasound Products.

That advisory can be found here including a full list of affected products: https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01

These vulnerabilities are being assigned CVE-2020-25175 and CVE-2020-25179, both provided with a CVSS v3 score of 9.8 out of 10 classified as critical vulnerabilities.

Successful exploitation of these vulnerabilities could occur if an attacker gains access to the healthcare delivery organization’s network. If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (Remote) service user privileges. This could expose sensitive data involving patient health information (PHI) or allow the attacker to run arbitrary code.

The devices are configured with an easily findable default password and clients are unable to change the password without contacting the GE Healthcare support team for assistance.

GE’s reporting on the vulnerability can be found here: https://www.gehealthcare.com/en-US/security

As of writing, there have been no reported incidents of a cyber-attack in a clinical use or any reported injuries associated with these vulnerabilities.

Recommendations 

•    Contact GE’s Healthcare support team for assistance in changing the default password on affected devices (A full list can be found here: https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01 and the client portal for sign-in can be found here: https://www.gehealthcare.com/en-US/security )

•    Ensure proper segmentation of the local hospital/clinical network and create explicit access rules based on source/destination IP/port for all connections, including those used for remote support. Specific ports to consider may include those used for TELNET (port 23), FTP (port 21), REXEC (port 512), and SSH (port 22) which are utilized for remote maintenance/support on the devices.

•    Utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local hospital/clinical network.