MDHex Vulnerability
Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in GE CARESCAPE, ApexPro, and Clinical Information Center (CIC) Systems
CISA Advisory (ICSMA-20-023-01)
MDhex Background
Affecting a range of CARESCAPE patient monitoring devices manufactured by GE Healthcare, the bundle of vulnerabilities collectively disclosed in CISA Advisory ICSMA-20-023-01, first came to the attention of CyberMDX security researchers through an investigation into the CIC Pro device.
The CIC Pro is a workstation used by the hospital staff to view all patient physiological data and waveforms, together with patient demographic data, in real-time from a single visual array. This data is transmitted from different patient-side monitors and collected via a shared network. The CIC Pro may also be used to centrally manage distributed monitors — for tasks such as patient admission, time & date synchronization, and setting alarm limits.
The CIC Pro is a popular product among CyberMDX’s customers and when the CyberMDX security solution detected a number CIC Pro devices in the field with potentially problematic open ports running a deprecated Webmin version, an investigation ensued. The investigation resulted in CISA Advisory ICSMA-20-023-01, which lists six separate vulnerabilities — CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966.
These six vulnerabilities, collectively referred to as “MDhex”, were reported to GE on September 18, 2019, and after being verified, were responsibly disclosed on January 23, 2019. In intervening months, CyberMDX, GE, and CISA worked together to fully understand the technical basis of the vulnerabilities so that subsequent mitigation efforts could be properly and effectively managed.
The CIC Pro is not the only GE/CARESCAPE product affected by these vulnerabilities. Other devices in which these vulnerabilities are found are:
| Central Information Center (CIC), versions 4.x and 5.x | CARESCAPE Central Station (CSCS), versions 1.x and 2.x | B450 patient monitor, version 2.x | B850 patient monitor, versions 1.x and 2.x |
| Apex Pro Telemetry Server/Tower, versions 4.2 and earlier | CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior | B650 patient monitor, versions 1.x and 2.x |
Relevant Product Components
Some of the vulnerable devices carry their information using standard HDD and/or memory cards. In these devices, storage is unencrypted, which makes it easy to read and investigate.
Additionally, some of the affected devices may be operated by a hardened version of Windows XP Embedded, with a restricted user account.
SSH Vulnerability (CVE-2020-6961)
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
SSH private key exposed
An SSH server installation allows for the remote management of a device via SSH client.
While SSH is designed for Linux-based devices, the affected Windows-based devices carry an installation of Cygwin that allows Linux programs to run on Windows.
Usually, an SSH server configuration will contain a file that holds public keys of entities authorized to connect. In the case of the affected devices, the configuration also contains a private key. (Best practices would demand that these keys be kept by the vendor and not make their way onto devices in circulation.) The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products. Using the private key, an attacker could remotely access and execute code on these devices — potentially comprising the device’s very availability as well as the confidentiality and integrity of any data it holds.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 22 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
SMB Vulnerability (CVE-2020-6963)
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
SMB with hard-coded credentials allows remote file access
Using hard-coded credentials that are universally shared across an entire line of devices in the CARESCAPE and GE Health family of products, an attacker could establish a remote SMB connection and receive read/write access to all files on the system.
The credentials underlying this vulnerability can be obtained by performing a password recovery on the Windows XP Embedded operating system of affected devices. Once these credentials have been obtained, other devices can be easily breached. This represents a considerable expansion of the network attack surface.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
- Carescape Telemetry Server (versions 4.3 and earlier)
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 445 and 137 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
MultiMouse / Kavoom KM Vulnerability (CVE-2020-6964)
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
MultiMouse / Kavoom KM allows remote control
MultiMouse / Kavoom KM software can be run to allow remote keyboard/mouse and clipboard control of a machine. The intention is to allow a user to centrally manage and control multiple workstations from a single keyboard/mouse for reasons of efficiency/convenience. In the case of this vulnerability, such functionality can be readily abused, with the ability to achieve connections commandeer devices without any credential controls. Practically speaking, this could give hackers a route to alter device settings and overwrite data.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
- Carescape Telemetry Server (versions 4.3 and earlier)
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to any open ports 5225 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
VNC Vulnerability (CVE-2020-6966)
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
VNC allows remote control
VNC is a software used for remote desktop access. Credentials for this access are stored in an insecure manner and can be easily obtained. What’s more, these credentials can also be found in publicly available and easily searchable product documentation. It must again be noted that these hard-coded credentials are universally shared across an entire line of devices in the CARESCAPE and GE Health product families, vastly expanding network attack surfaces. Using these credentials, an attacker can remotely connect to and assume control of the device.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
- Carescape Telemetry Server (versions 4.3 and earlier)
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 5800 and 5900 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
webmin Vulnerability (CVE-2020-6962)
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
Webmin is deprecated and vulnerable
Webmin is a web-based system configuration tool. The Webmin version used in affected devices is deprecated (1.250), opening them up to a number of vulnerabilities with known exploits in the wild.
For example, CVE-2006-3392 details the possibility for arbitrary file read on such devices.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
- Carescape Telemetry Server (versions 4.3 and earlier)
- B450 version 2.x
- B650 / B850 versions 1.x, 2.x
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open port 10000s on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
GE update management Vulnerability (CVE-2020-6965)
| Risk Level: | 8.5. A high severity score has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | September 18, 2019 |
| CISA Advisory date: | January 23, 2020 |
Vulnerability details
Software update manager allows remote file upload
GE devices come pre-loaded with a software update manager to facilitate the remote deployment of updates.
Some of the affected devices would accept any incoming update, while others will require permissions based on the same SSH key exposed to CVE-2020-6961 together with the software update manager. Either way, the result is a state of significant compromise, wherein fraudulent updates can be executed to exhaust drive resources or install malicious software.
Affected Devices
- CIC (versions 4.x, 5.x)
- CSCS (version 1.x)
- Apex Telemetry Server (versions 4.2 and earlier)
- Carescape Telemetry Server (versions 4.3 and earlier)
- B450 version 2.x
- B650 / B850 versions 1.x, 2.x
Mitigations and Recommendations
GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly. Additionally, you should utilize a firewall to close open ports 10001 on affected devices wherever it would not interfere with normal operations, intended use, or important functionality.
Credit
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Forescout Products
Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.