For information on reporting discovered vulnerabilities in GE Healthcare products, please click here to view the GE Healthcare Coordinated Vulnerability Disclosure Statement.


June 16, 2020

Ripple20 - Treck TCP/IP stack vulnerabilities

GE Healthcare is aware of several TCP/IP stack vulnerabilities named Ripple20 disclosed by Treck on June 16 2020 (https://www.us-cert.gov/ics/advisories/ICSA-20-168-01). GE Healthcare is currently not aware of any of its products directly impacted by these vulnerabilities, but there is possible impact to third party components used in combination with GE Healthcare products. Our customers can find more information through our Product Security Portal (https://securityupdate.gehealthcare.com/).


March 4, 2020

SWEYNTOOTH/Bluetooth Low Energy (LE) Vulnerabilities

GE Healthcare is aware of a collection of 12 vulnerabilities impacting Bluetooth Low Energy devices, known collectively as SWEYNTOOTH. The 12 vulnerabilities identified are related to specific Bluetooth hardware manufacturers utilizing various affected software development kits (SDK’s). These vulnerabilities are not strictly related to the Bluetooth Low Energy protocol itself.

Product assessments have been completed against all GE Healthcare products utilizing Bluetooth communication; none of these products are impacted by the SWEYNTOOTH vulnerabilities. Our devices do not contain the impacted vulnerable Bluetooth hardware components.

GE Healthcare standard process is to continuously monitor our products against vulnerabilities and provide updates to our customers as necessary on our product security portal at https://securityupdate.gehealthcare.com/


February 18, 2020

ICS advisory regarding GE Healthcare ultrasound devices

Summary: GE Healthcare actively participated in a Coordinated Security Vulnerability Disclosure, describing how ultrasound devices utilize a method of software application implementation called kiosk mode. This kiosk mode is vulnerable to local breakouts, allowing malicious persons with the right skills to reach the operating system on these devices if allowed physical access to the device and to the software application. GE Healthcare has determined that this scenario does not allow for elevated levels of access to data and does not introduce clinical hazard or patient risk.

GE Healthcare, the researchers listed and DHS-CISA have interacted throughout the disclosure process.

CVE-2020-6977 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). For more information from DHS-CISA see: https://www.us-cert.gov/ics/advisories/icsma-20-049-02

Risk Analysis: GE Healthcare conducted a formal internal risk investigation and determined that the worst-case scenario would be malicious action which renders the device unusable, with clear indicators of this to the intended user of the device. The potentially vulnerable scenario described only applies at a local level; an unauthorized party would need to have direct access to the device screen, application, keyboard and mouse.

Involved devices:

GE Healthcare ultrasound products not vulnerable to Kiosk breakout by design

GE Healthcare Ultrasound products potentially vulnerable to Kiosk breakouts

EchoPAC
LOGIQ 100 Pro
ImageVault
Versana (all except for Versana Essential)
VScan product line
Venue 40 R1-3, 50 R4-5
ViewPoint product line

Vivid product line
LOGIQ (all except for LOGIQ 100 Pro)
Voluson product line
Versana Essential
Invenia ABUS Scan station
Venue (all except for 40 R1-3, 50 R4-5)

Security Recommendations: GE Healthcare recommends organizations to restrict access to devices by unauthorized individuals. Additionally, where available, it is recommended to enable an application lock or username/password combination to further restrict application access on the device.

If you have any questions, please reach out to your local GE Service Representative or visit https://securityupdate.gehealthcare.com/


January 23, 2020

Vulnerability Disclosure regarding GE Healthcare Monitoring products

Summary: GE Healthcare is disclosing security vulnerabilities with potential safety implications within certain monitoring products. These vulnerabilities have been reported to GE Healthcare by CyberMDX.

Safety Disclosure: When connected to improperly configured Mission Critical (MC) and /or Information Exchange (IX) networks, certain versions of the CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) version 1 and Central Information Center (CIC) systems were identified to have vulnerabilities that if exploited could possibly result in a loss of monitoring and/or loss of alarms during active patient monitoring. The vulnerability and related risk of exploitation is higher if the above-mentioned networks are improperly configured.

Situation: Six (6) vulnerabilities have been identified which, if exploited, may allow an attacker to:

  • Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or
  • Make certain changes to alarm settings on connected patient monitors, and/or
  • Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.

Properly configured MC and IX networks greatly reduce but do not eliminate the ability to gain access to the networks. As a result, if the networks are properly isolated, for this issue to occur, the unauthorized person would need to gain physical access to the listed monitoring devices themselves individually or acquire direct access to the isolated MC or IX networks on-site at the hospital.

In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network.

If an attacker gains access to the MC and IX network, the following could be exploited: an exposed private key, exposed services, and components with identified software vulnerabilities. In addition to the product impact disclosure above, such a successful exploit may result in potential access to a limited history of patient data (e.g. monitoring/parameter data). The scoring applied to these vulnerabilities represents a situation in which the implementation instructions are not followed, and MC and IX networks are accessible from the hospital network. The score assigned is a CVSS v3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). In properly configured situations, an environmental score should be applied, which GE Healthcare suggests as follows, with the resulting CVSS v3.1 score of 8.2
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:L/MAC:H). For more information on individual vulnerabilities and CVE identifiers, please see the DHS-CISA advisory here.

Security recommendations: You can continue to use your devices. Confirm the proper configuration of the MC and IX networks to ensure the isolation and configuration meets the requirements listed in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and your product Technical and Service Manuals. A properly isolated network requires an attacker to gain physical access in order to carry out an exploit.

In addition to applying network management best practices, ensure:

  1. MC and IX Networks are isolated;
  2. MC and IX Router/Firewalls block incoming traffic, as applicable;
  3. Restricted physical access to Central Stations, Telemetry Servers, MC network and IX network;
  4. Default passwords are changed as applicable; and
  5.  Password management best practices are followed.

Products covered by this disclosure:

Device

Version

Vulnerabilities applicable

ApexPro Telemetry Server and CARESCAPE Telemetry Server

4.2 and earlier

Exposed private key; Exposed Services Components with identified software vulnerabilities (Please see the DHS-CISA adivisory here for a full overview of all vulnerabilities)

CARESCAPE Central Station (CSCS) version 1

1.x

Central Information Center (CIC)

4.x, 5.x

 
There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities.

In addition, GE is developing software updates/patches including additional security enhancements that will be made available. In accordance with GE’s continual cybersecurity hygiene process, customers can access GE’s security website (https://securityupdate.gehealthcare.com) to receive the most up to date information, and can subscribe to receive notifications when new updates/patches are available.

Please reach out to your local GE Representative for any information regarding network set-up, configuration, maintenance and monitoring, or if you have any additional questions.

Note: While a subset of vulnerabilities exists in other products (listed in the table below), these devices have different designs and security mitigations and are therefore not reasonably expected to be susceptible to an exploit. Customers with these products do not need to take any further actions, for this issue.

Device

Version

Vulnerabilities applicable

CARESCAPE Telemetry Server

4.3

Common private key (CVE-2020-6961); Components with identified software vulnerabilities (CVE-2020-6962)

CARESCAPE Central Station (CSCS) version 2

2.x

Components with identified software vulnerabilities (CVE-2020-6962) and CVE-2020-6964);

Bx50 v2,
Includes B850, B650, B450

2.x

Components with identified software vulnerabilities (CVE-2020-6962) Exposed services (CVE-2020-6965)

Bx50 v1,
Includes B850, B650

1.x


January 16, 2020

MS CVE-2020-0601 - Windows CryptoAPI Spoofing Vulnerability

Microsoft has identified a spoofing vulnerability in versions of the Windows 10 and Windows Server 2016/2019 operating systems, in the way Windows CryptoAPI validates certificates. This vulnerability could allow an exploit by using a spoofed code-signing certificate to sign malicious executables and websites.

Specific details are available from Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0601.

GE Healthcare is actively assessing products that utilize impacted Microsoft Operating Systems. This statement will be updated as more information becomes available, and we will notify customers through our GE Healthcare Product Security Portal (https://securityupdate.gehealthcare.com).


Original post: August 21, 2019 – Latest update: March 26, 2020

URGENT/11 (VxWorks TCP/IP Stack (IPnet) Vulnerabilities)

GE Healthcare is aware of several VxWorks vulnerabilities that were discovered in the TCP/IP stack (IPnet), a component of certain versions of VxWorks. Wind River has created patches for these security vulnerabilities. To date, there is no indication that the vulnerabilities have been exploited.

We have completed applicability assessments of our products based on product software components and, where applicable, in-depth assessments. GE Healthcare customers can review the status or potential impact per product on https://securityupdate.gehealthcare.com.

GE Healthcare will continue to monitor the situation and will provide any necessary updates, and we will notify customers through our Product Security Portal (https://securityupdate.gehealthcare.com).


August 14, 2019

MS CVE-2019-1181 and CVE-2019-1182 - Remote Desktop Services Remote Code Execution Vulnerabilities

GE Healthcare is aware of Microsoft reports for users of various Windows versions to apply critical Windows Updates.  Microsoft has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in the following: Windows 7 SP1, Windows 8.1, Windows 10, and Windows Server versions like Windows Server 2008 R2, and Windows Server 2012. We are conducting assessments of our products to determine any potential impact. This statement will be updated as more information becomes available, and we will notify customers through our Product Security Portal (https://securityupdate.gehealthcare.com/) if any products are suspected or known to be at risk.


July 16, 2019

ICS advisory regarding GE anesthesia devices

Update: Upon further investigation and out of an abundance of caution, GE Healthcare is updating the statement previously posted and directly notifying users. Please review below in its entirety.

Summary

GE Healthcare is aware of a disclosure by ICS-CERT/CISA describing how connecting a device serial port via an add-on and insufficiently secured third-party terminal server to a hospital network may lead to unauthorized access to certain GE Healthcare anesthesia devices. This vulnerability is not in the anesthesia device itself but may arise if users have connected the device to such insufficiently secured third-party network terminal servers.

The vulnerability could impact GE Healthcare anesthesia devices in the following four ways:

  1. Flow Sensor

    Although extremely improbable, an insufficiently secured terminal server may provide an opportunity for a malicious actor that has already penetrated the hospital network to send fraudulent flow sensor correction parameters to certain products (see table). A terminal server is an accessory that can be obtained from a third-party supplier (non-GE Healthcare) outside of the standard product configuration. If fraudulent flow sensor correction parameters are sent, the flow sensor calibration could be impacted and cause over-delivery of tidal volume to a patient if Volume Control ventilation is being used. Over-delivery of tidal volume could in rare cases theoretically lead to an increased risk of lung injury. In addition, under-delivery could theoretically occur and cause too little total volume of gas to be delivered. If this were to occur without normal clinical intervention, there could theoretically be compromise of patient oxygenation or ventilation.

    Note: the anesthesia machines involved have analog gas controls and a mechanical vaporizer, therefore remote adjustment of gas mix or drug levels is not possible.

  2. Alarm

    Alarms may be silenced by a malicious actor, however, only after the initial audible alarm sounds. Visual alarms continue to be displayed and available to the attending clinician. As well, any new alarms break through the silence alarm command and provide audio alert to the user. Anesthesia devices are qualified as an “attended device” where a highly skilled clinician is continuously monitoring the device and this scenario is not reasonably expected to cause patient harm.

  3. Clock

    The device date and time clock may be modified by a malicious actor on certain products (see table), however, this modification cannot happen after the patient procedure has started and does not impact the intended use of the device. The time is displayed on the screen at all times. This scenario is not reasonably expected to cause patient harm.

  4. Patient weight and age

    A malicious actor could modify the patient weight and age on certain products (see table), however, these parameters must be confirmed and accepted prior to device use by the clinician, do not automatically impact device performance and cannot be modified while the device is in use. This scenario is not reasonably expected to cause patient harm.

    There have not been any incidences of cyber-attacks or injuries reported to GE Healthcare because of these issues.

Involved devices

Device

1. Flow Sensor Scenario

2. Alarm Silence Scenario

3. Clock Scenario

4. Weight and Age Scenario

Aespire 7100 / 100 / Protiva / Carestation

Yesa, Software Version 1.x

Yes

No

No

Aestiva 7100

Yesb, Software Version 1.x

Yes

No

No

Aestiva 7900

Yesc, Software Versions 1.x, 2.x, 3.x

Yes

No

No

Aestiva MRI

Yesd, Software Version 3.x

Yes

No

No

Aespire 7900

No

Yes

No

No

Aespire View

No

Yes

No

No

Aisys, Aisys CS2, Avance, Amingo, Avance CS2

No

Yes

Yes

Yes

Carestation 620/650/650c

No

Yes

Yes

Yes

a Devices manufactured prior to October 2010.

b Devices manufactured prior to February 2014.

c Devices manufactured prior to March 2004.

d Devices manufactured prior to July 2014.

 

 

Security Recommendations

GE Healthcare recommends organizations use secure terminal servers if choosing to connect GE Healthcare anesthesia device serial ports to TCP/IP networks. Secure terminal servers, when correctly configured, provide robust security features, including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.

GE Healthcare recommends that organizations utilize best practices for terminal servers that include governance, management and secure deployment measures such as network segmentation, VLANs and device isolation to enhance existing security measures.

If you have any questions, please reach out to your local GE Representative.

For more information from ICS-CERT/CISA see: https://www.us-cert.gov/ics/advisories/icsma-19-190-01

 

Original post: May 14, 2019 – Latest update: May 21, 2019

BlueKeep (MS CVE-2019-0708 - Remote Desktop Services Code Execution Vulnerability)

Update: Initial product assessments have been completed; GE Healthcare customers can obtain a per-product view of potentially impacted areas based on a preliminary applicability assessment. Currently, all potentially affected products are being assess by internal GE Healthcare teams to determine remediation actions; over the coming days to weeks, the results of these assessments, including validated patches and patch installation instructions will be updated on the Vulnerability Management Portal as they become available.

Original message: GE Healthcare is aware of Microsoft reports for users of various Windows versions to apply a critical Windows Update. Microsoft has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in the following: Windows XP, Windows 7, and Windows Server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft has released patches for Windows XP and Windows Server 2003 specifically, even though both operating systems are no longer supported. We are conducting assessments of our products to determine any potential impact. This statement will be updated as more information becomes available, and we will notify customers through our Vulnerability Management Portal (https://securityupdate.gehealthcare.com/) if any products are suspected or known to be at risk.



Silex Bridge Accessory Vulnerability in GE Healthcare ECG Devices

GE Healthcare is aware that a security researcher has discovered two security vulnerabilities within a Silex wireless bridge used as an optional accessory in certain GE Healthcare ECG products. If exploited, these vulnerabilities could allow a threat actor to interfere with communications between the product and the hospital network. GE is not aware of any actual exploit of these vulnerabilities. Potential exploit paths do not affect clinical function of the impacted devices. This information was made publicly available 08 May 2018 via ICS-CERT advisory “ICSMA-18-128-01 Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink” at link https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01 .

This optional bridge accessory may be used in GE Healthcare’s MAC 3500, MAC 5000 (product end of life in 2012), MAC 5500, and MAC 5500 HD. The noted vulnerability impacts this accessory and its function as a bridge to the hospital network. Exploit of the vulnerability requires proximity to the devices and would not impact clinical function or data protection.

 The two vulnerabilities and mitigation methods are:

  1. CVE-2018-6020, GEH-500 Version 1.54 and prior (integrated into GE MobileLink).  Mitigation: Enable the “update” account within the web interface which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the bridge configuration. 
  1. CVE-2018-6021, GEH-SD-320AN,  Version GEH-1.1 and prior (integrated into GE MobileLink). Mitigation: The Silex firmware upgrade is approved by GE Healthcare and customers can download the upgrade and instructions via this link:  http://silextechnology.com/geh320an/

Medical device security is a top priority for GE Healthcare, and we will continue to work with customers to provide safe and secure healthcare.



NCCIC/ICS-CERT Medical Device Advisory re GE Medical Devices

National Cybersecurity and Communications Integration Center for Industrial Control Systems (NCCIC/ICS-CERT) has issued an advisory addressing use of default credentials in certain GE Healthcare products. This NCCIC/ICS-CERT advisory provides an update to a US-CERT bulletin released in August 2015, and all information on the default credentials was previously made public in the 2015 US-CERT bulletin.

Background

In 2015, a researcher submitted information to ICS-CERT regarding the use of default and/or hard-coded passwords in certain GE Healthcare products. These passwords were given in Operator or Service Manuals that were made available within a GE Healthcare resource library accessible to customers via hardcopy and internet. This information was subsequently provided by the researcher to US-CERT and published in US-CERT Bulletin SB15-222, released 10 August 2015. The risk scores given in this bulletin were not reviewed with GE Healthcare prior to publication and did not reflect any technical product risk assessment. Upon investigation, GE Healthcare determined that most of the passwords were changeable based on existing product documentation, while some passwords did not have change processes within existing documentation. GE Healthcare recognizes that current industry best practices include restrictions and safeguards on the use of passwords and will continue to support customer requests for assistance to change these passwords.

GE Healthcare Risk Assessment Process

GE Healthcare has evaluated the password concern raised by the NCCIC/ICS-CERT advisory through an established risk management process addressing safety risks, as well as general security risks to confidentiality, integrity, and availability of device assets. GE Healthcare’s risk assessment concluded that safety risk in these products is at an acceptable level. This conclusion is supported by our historical and ongoing surveillance of products in use, as well as safety risk assessments conducted during the product design process. All these products have been subject to ongoing medical device post market surveillance and GE Healthcare has no evidence of any adverse safety event or security event pertaining to the confidentiality, integrity, or availability of these devices caused by misuse of these passwords. The design of these products includes mitigations against potential safety risks associated with misuse of the passwords. GE Healthcare will continue to monitor our products for safety and security events and respond our customers’ need for information related to the security of our devices.


GE Healthcare Guidance on Petya Ransomware

GE Healthcare is aware of the recent reports of a widespread ransomware event, known as “Petya,” that is affecting entities globally in a diverse range of industries. Based on the information currently available, it appears that a common distribution method of the Petya ransomware is through spear phishing using a malicious document (e.g., e-mail). Similar to the recent WannaCry event, once the ransomware has made it onto a system, Petya encrypts the hard-drive and demands a Bitcoin ransom to unlock it.

At this time, there is no expected impact to GE Healthcare devices that have been remediated through patching to address the MS17-010 SMBv1 (WannaCry) vulnerability. However, software and devices that have not yet been patched to address MS17-010 SMBv1 remain vulnerable to the Petya ransomware. GE Healthcare recommends that you apply the necessary patches as soon as possible. For more information regarding specific devices or products in your installed base, please contact your GE Service Representative or GE Service Call Center.

GE Healthcare will continue to monitor the situation and will provide any necessary updates.


GE Healthcare Guidance on WannaCry Ransomware

Overview and background

GE Healthcare is closely monitoring and taking action to address an ongoing ransomware campaign known as WannaCry, WCry, or Wanna Decryptor, targeting Windows-based systems globally. The WannaCry “ransomware” (a form of malware) propagates either through phishing campaigns or through the Microsoft vulnerability MS17-010 SMBv1. Once WannaCry enters a device, it encrypts the data on the device and demands a bitcoin ransom in exchange for releasing the data and unlocking the device.

GE Healthcare initial response

GE Healthcare has activated a cross-functional engineering, cybersecurity, services and technology team to undertake a full review of all products.  Our teams around the world are continuously monitoring the situation to ensure customers and their services teams have access to the most up-to-date information available in a highly dynamic situation.  

Microsoft patch

Microsoft has issued a patch for all currently supported versions of Microsoft Windows, including Windows Vista, Windows 7, Windows 8.1, and Windows Server 2008 through 2016. Additionally, since the attack, Microsoft has issued patches for Windows XP, Windows 8, and Windows Server 2003.  Additional information regarding Microsoft’s support of this security incident can be found HERE.

What to expect?

GE Healthcare is committed to supporting our customers to maintain their systems and products in a cyber-secure manner. If customers have been affected by the ransomware, or if they have concerns about a particular product, they are encouraged to contact their GE Service representative or their GE Service Call Center.  Although each customer has unique circumstances, as a general matter, for any device with a Microsoft version for which Microsoft has issued a patch (see above), support is likely to consist of the installation of a Microsoft-approved patch that is either installed by the customer or by our services team.   

We are creating practical guidance for the installation process and distributing this guidance through GE Healthcare Service and Call Center teams for use in responding to customer questions.

GE Healthcare is providing Services representatives with ongoing updates from Microsoft and industry bodies to ensure customers receive the most current information.  We are committed to partnering with our customers and other stakeholders to implement robust product security measures to protect the integrity of patient care around the world.