MDhex-Ray is a vulnerability that affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare.
Earlier this week, CyberMDX discovered a vulnerability in the electric healthcare devices manufactured by GE Healthcare.
Successfully exploiting the vulnerability may expose sensitive data – such as Protected health information (PHI), also referred to as personal health information.
Certainly, could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.
Software Vulnerability — CVE-2020-25179
Importantly, More than 100 devices are affected by this vulnerability across the following product lines:
|MRI||Signa, Brivo, Optima|
|Ultrasound||LOGIQ, Vivid, EchoPAC, Image Vault, Voluson|
|X-Ray||Brivo, Definium, AMX, Discovery, Optima, Precision|
Further, A maximum severity score of 9.8 has been assigned to this vulnerability. CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The affected modalities have an integrated PC running a Unix-based operating system. On top of its operating system, the modalities have proprietary software installed that manages the device as well as its maintenance and update procedures done by GE from the internet.
Moreover, The update and maintenance software authenticates connections by using credentials that are publicly exposed (can be found online) and does so periodically with GE’s online maintenance servers.
Hannah Huntly, a spokesperson for GE Healthcare, said in a statement: “We are not aware of any incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern.
In addition, “Maintaining the safety, quality, and security of our devices is our highest priority.”, Hannah said.
Mitigations and Recommendations
Firstly, Contact GE Healthcare and request credentials change on all affected devices in your facility.
However, GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users.
Additionally, should implement a network policy that restricts the following ports for the affected devices to be available only for GE maintenance servers:
- Firstly, FTP (port 21) – used by the modality to obtain executable files from the maintenance server
- Secondly, SSH (port 22)
- Telnet (port 23) – used by the maintenance server to run shell commands on the modality
- REXEC (port 512) – used by the maintenance server to run shell commands on the modality
In short, please check their website for more information or reach out to the vendor directly.