MDhex Vulnerabilities Discovered In GE Healthcare Medical Devices

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

Researchers have discovered six different critical MDhex vulnerabilities, in medical devices. These vulnerabilities, upon exploitation, could allow an adversary to mess with devices’ functionality or render them useless.

MDhex Vulnerabilities In Medical Devices

The CyberMDX research team have discovered multiple security vulnerabilities in medical devices. Dubbed MDhex, these six vulnerabilities existed in GE Healthcare’s CARESCAPE patient monitoring devices. The researchers have elaborated on their findings in a blog post.

In brief, five of the six vulnerabilities attained critical severity ratings with a CVSS score of 10.0. These include a SSH Vulnerability exposing private key (CVE-2020-6961), a SMB vulnerability allowing remote connection to read/write files on the system (CVE-2020-6963), MultiMouse / Kavoom KM vulnerability allowing remote control (CVE-2020-6964), vulnerability in VNC software allowing remote control (CVE-2020-6966), and deprecated Webmin version triggering numerous bugs (CVE-2020-6962).

The sixth bug was a GE update management Vulnerability (CVE-2020-6965). This was a high severity vulnerability that received a CVSS score of 8.5.

Patches Rolled Out

The team Cyber MDX found these bugs in September 2019. They informed GE Healthcare about the flaws, and, in collaboration with CISA, the vendors patched the flaws.

These vulnerabilities affected the following devices.

  • Central Information Center (CIC), versions 4.x and 5.x
  • Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
  • CARESCAPE Central Station (CSCS), versions 1.x and 2.x
  • CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
  • B450 patient monitor, version 2.x
  • B650 patient monitor, versions 1.x and 2.x
  • B850 patient monitor, versions 1.x and 2.x

Following the release of patches, researches have now disclosed the vulnerabilities following responsible disclosure protocol. They have also shared the details about possible mitigations and recommendations for every vulnerability in their report. The CISA has also shared an advisory sharing the mitigations and best practices recommended by GE.

For now, GE has confirmed no active exploitation of any of the vulnerabilities in the wild.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!