Researchers have discovered six different critical MDhex vulnerabilities, in medical devices. These vulnerabilities, upon exploitation, could allow an adversary to mess with devices’ functionality or render them useless.
MDhex Vulnerabilities In Medical Devices
The CyberMDX research team have discovered multiple security vulnerabilities in medical devices. Dubbed MDhex, these six vulnerabilities existed in GE Healthcare’s CARESCAPE patient monitoring devices. The researchers have elaborated on their findings in a blog post.
In brief, five of the six vulnerabilities attained critical severity ratings with a CVSS score of 10.0. These include a SSH Vulnerability exposing private key (CVE-2020-6961), a SMB vulnerability allowing remote connection to read/write files on the system (CVE-2020-6963), MultiMouse / Kavoom KM vulnerability allowing remote control (CVE-2020-6964), vulnerability in VNC software allowing remote control (CVE-2020-6966), and deprecated Webmin version triggering numerous bugs (CVE-2020-6962).
The sixth bug was a GE update management Vulnerability (CVE-2020-6965). This was a high severity vulnerability that received a CVSS score of 8.5.
Patches Rolled Out
The team Cyber MDX found these bugs in September 2019. They informed GE Healthcare about the flaws, and, in collaboration with CISA, the vendors patched the flaws.
These vulnerabilities affected the following devices.
- Central Information Center (CIC), versions 4.x and 5.x
- Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
- CARESCAPE Central Station (CSCS), versions 1.x and 2.x
- CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
- B450 patient monitor, version 2.x
- B650 patient monitor, versions 1.x and 2.x
- B850 patient monitor, versions 1.x and 2.x
Following the release of patches, researches have now disclosed the vulnerabilities following responsible disclosure protocol. They have also shared the details about possible mitigations and recommendations for every vulnerability in their report. The CISA has also shared an advisory sharing the mitigations and best practices recommended by GE.
For now, GE has confirmed no active exploitation of any of the vulnerabilities in the wild.