Two critical vulnerabilities found affecting GE medical products could allow for personal healthcare information to be stolen and could potentially allow for the affected medical devices to be shut off completely. The bugs were originally discovered back in May by CyberMDX, but kept confidential while the manufacturer worked on solutions until yesterday, when the vulnerabilities were officially revealed by The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). There are believed to be over 100 different types of medical devices that are affected by the bugs—these include CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-Ray machines and ultrasound devices. The bugs, identified as CVE-2020-25175 and CVE-2020-25179, received a 9.8 CVSS score, and rightfully so. They are possible to exploit because all of these systems share a common password built in to allow remote servicing through GE’s proprietary administration system. Patches are in the works, but due to the low exploitation complexity level the devices will remain extremely vulnerable until those patches are released.
All clients who use the machines must contact GE and ask for a password reset on all their devices, as this can only be done by the Healthcare Support team at GE. While there is no evidence of the bugs being exploited just yet, healthcare professionals must remain vigilant and report any suspicious machine behavior to GE. As soon as a patch is available, it will more than likely be force implemented on all affected machines, but if not, the patch should be implemented as soon as possible. For more information about the bugs please visit: https://threatpost.com/critical-unpatched-bug-ge-radiological-devices/162012/