Researchers have found insecure configurations of the remote access and administration features present in several patient monitoring devices and servers made by GE Healthcare that are used in clinics and hospitals around the world. The identified issues involve the use of shared hard-coded credentials or no credentials at all for remote management features, as well as the use of outdated applications with known vulnerabilities.
These types of issues have plagued embedded devices for many years and are the result of old product design practices that focused more on usability and ease of remote support than security.
Reused hard-coded credentials
Researchers from CyberMDX, a cybersecurity firm that focuses on services for the healthcare industry, found six high-risk vulnerabilities in GE Healthcare products that they've collectively dubbed MDhex. Their investigation started with a look at the CIC Pro Clinical Information Center, a workstation that nurses and caregivers use to monitor real-time waveforms and vital information from multiple patients at the same time, review historical and demographic data, and manage patient alarms.
The CIC Pro workstations are connected to CARESCAPE, GE's real-time monitoring network for medical facilities, so they can interact with and display data from other devices on the network, including telemetry servers and bedside monitors.
The first vulnerability found by CyberMDX consists of a hard-coded private key in the SSH server shipped with all CIC Pro devices. The same key is also present in the SSH configuration of GE's CARESCAPE Central Station (CSCS) and Apex Telemetry Server. By extracting this private key, attackers can remotely access any affected device via SSH and execute rogue commands on it, an action that can impact the availability and confidentiality of the data it holds.
SSH's key-based authentication feature relies on public-key cryptography. The server contains a list of public keys belonging to users that are allowed to connect, and these users need to have their corresponding private keys inside their client configurations. If this is intended as a management feature that only GE Healthcare can use, the private key should be well protected and never disclosed. "Best practices would demand that these keys be kept by the vendor and not make their way onto devices in circulation," the CyberMDX researchers said in their advisory.
The SSH misconfiguration vulnerability is tracked as CVE-2020-6961 and affects CIC Pro software versions 4.x and 5.x, CSCS software version 1.x and Apex Telemetry Server versions 4.2 and earlier.
A second vulnerability, tracked as CVE-2020-6963, also involves the use of hard-coded credentials, but this time for the Server Message Block (SMB) file-sharing protocol. Exploiting this weakness gives attackers read and write access to all files on the system and affects CIC versions 4.x and 5.x, CSCS version 1.x, Apex Telemetry Server versions 4.2 and earlier, as well as CARESCAPE Telemetry Server versions 4.3 and earlier.
"The credentials underlying this vulnerability can be obtained by performing a password recovery on the Windows XP Embedded operating system of affected devices," the researchers said. "Once these credentials have been obtained, other devices can be easily breached."
The third vulnerability, CVE-2020-6966, stems from hard-coded credentials shared across the entire product line for Virtual Network Computing (VNC), a remote desktop protocol feature present on CIC software versions 4.x and 5.x, CSCS version 1.x, Apex Telemetry Server versions 4.2 and earlier and CARESCAPE Telemetry Server versions 4.3 and earlier. Not only can these VNC credentials be easily obtained from the software, but they are publicly available in the product documentation, the researchers said.
Another vulnerability, CVE-2020-6964, stems from the presence of Kavoom KM MultiMouse software on these devices, which allows users to control multiple workstations with the same physical keyboard and mouse. Using this feature does not require any credentials at all and allows potential attackers to commandeer devices and alter their settings and data. It affects the same devices as the previous vulnerabilities.
Outdated software and insecure updates
The fifth vulnerability, CVE-2020-6962, is caused by the inclusion of a highly outdated version of Webmin in the device software. Webmin is a web-based interface for system administration that allows users to perform a variety of tasks including modifying settings for various services including the firewall, adding and removing users or executing commands.
The Webmin version included with the affected GE Healthcare devices is version 1.2.5 and was released in November 2005. A long list of vulnerabilities has been found and patched in Webmin since then. In addition to CIC, CSCS, Apex Telemetry Server and CARESCAPE Telemetry Server, the B450 and B650/B850 patient monitors are also affected.
Finally, all the devices mentioned above have an insecure software update mechanism that will either accept any incoming updates served to them or will require the shared SSH key exposed by the first vulnerability. "The result is a state of significant compromise, wherein fraudulent updates can be executed to exhaust drive resources or install malicious software," the researchers said.
The CyberMDX researchers advise customers to use firewalls to block access to ports used by the affected services: port 22 for SSH, 445 and 137 for SMB, 5225 for MultiMouse/Kavoom KM, 5800 and 5900 for VNC, 10000 for Webmin and 10001 for the GE updater. However, in practice this can only be done in situations where such port filtering does not seriously affect the normal operation and intended use of the devices.
SSH, GE update manager, Webmin and SMB are meant to be managed, maintained and updated by the vendor, while VNC and MultiMouse are handled by the customer to help with monitoring, Elad Luz, head of research at CyberMDX, tells CSO.
According to a GE Healthcare spokesperson, the company has instructed customers to follow network management best practices and is developing patches to address the problems. The company is not aware of any exploitation of these issues in a clinical situation so far.
"For the products included in the disclosure, security recommendations have been provided to ensure the isolated network and security of the products function as intended," the spokesperson said in an emailed statement. "The disclosed security vulnerability can be mitigated through a properly configured and isolated network. Although the instructions provided to customers provide sufficient risk mitigation, we are developing software updates/patches that include additional security enhancements, which will be available in Q2 2020. Customers can access GE Healthcare’s security website to receive the most current information."
CyberMDX has worked with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and GE Healthcare to coordinate the disclosure of the vulnerabilities. The agency released its own advisory today.
Medical devices with weak access controls
According to Luz, the issue of hard-coded credentials and weak access controls is widespread in the medical device world. In fact, a common problem for medical devices is "a lack of authentication, meaning no credentials at all," he says.
Lack of basic security by design exposes medical devices to a multitude of attacks from denial-of-service which can impact their availability, to data and functionality manipulation and even ransomware attacks, since many of them run Windows. Given the importance of these devices in hospitals and clinics, attacks that disrupt their normal operation could potentially impact patient health.