GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Researchers have discovered 11 security vulnerabilities in GE HealthCare’s Vivid Ultrasound family of products, as well as two related software programs.

The issues are varied, and include missing encryption of sensitive data, use of hardcoded credentials, and more. They range in severity from 5.7 to 9.6 on the CVSS 3.1 scoring system.

As Nozomi Networks explained in its report, the bugs could lead to remote code execution (RCE) with full privileges and any number of attack scenarios such powers would entail. However, the most serious case scenarios also require physical access to the devices in question, massively reducing the potential risk for healthcare facilities.

The Bad News

In the course of their study, Nozomi’s researchers analyzed three GE creations: the Vivid T9 ultrasound system, designed primarily for cardiac imaging; its pre-installed Common Service Desktop Web application, used for various administrative purposes; and the EchoPAC clinical software package, which doctors use to review and analyze ultrasound images.

In some ways, GE’s ultrasounds are built to prevent users from causing security issues. For example, the Common Service Desktop Web app is exposed only on the localhost interface of a device, preventing long-distance tampering. This is important, as the software is used by administrators to do such things as change passwords and gather logs.

Other secure design elements didn’t hold up so well, however.

The Vivid T9 is essentially a complete PC running a GE-customized version of Windows 10. To focus its use in healthcare settings, most of the device logic is handled by applications and scripts running on it. Its graphical user interface (GUI), for example, restricts users from accessing the underlying operating system functionalities, with a few exceptions.

However, thanks to an old bug in the system — CVE-2020-6977, a CVSS 8.4-rated kiosk breakout vulnerability — researchers were able to bypass the GUI to reach into the PC and obtain administrative privileges. Then, using CVE-2024-1628, an 8.4-severity command injection issue in Common Service Desktop, they were able to perform arbitrary code execution, dropping ransomware that froze the machine.

Exploiting EchoPAC proved even simpler, provided the program’s “Share” feature was enabled. With a connection to a doctor’s workstation, an attacker can abuse hardcoded credentials — CVE-2024-27107, critical 9.6 CVSS — to access its live database server instance. There, they can read, edit, and steal patient data.

The Good News

The catch is that, unlike with Internet of Things (IoT)-connected medical devices, exploiting a T9 and Common Service Desktop requires that a malicious insider have physical access to the device’s embedded keyboard and trackpad. (EchoPAC, meanwhile, is easier to break into, requiring only a foothold in the local area network and no other credentials whatsoever.)

This is good news for healthcare facilities, but there’s also a caveat: An attacker could avoid all the necessary clicking and typing by instead plugging a malicious drive into the T9’s exposed USB port. In its experiments, Nozomi demonstrated how a specially crafted drive could compromise a T9 in only a minute’s time. For this reason, Nozomi recommends that medical professionals avoid leaving ultrasound devices unattended.

Patches and mitigations for all 11 vulnerabilities are available at GE HealthCare’s product security portal.


Click Here For The Original Source.


National Cyber Security