Ultrasound Under Siege: GE Healthcare Vivid Flaws May Lead to Ransomware and Patient Data Tampering

Facing a security snafu, GE HealthCare’s Vivid Ultrasound devices are vulnerable to cyber-shenanigans, with risks ranging from ransomware ruckus to patient data pilfering. Patch up pronto, folks!

Hot Take:

Ultrasound machines getting a dose of ransomware? That’s a heartbeat nobody wants to see skipping. Looks like GE HealthCare’s Vivid Ultrasound family got a vulnerability check-up, and the prognosis isn’t great. If cyber crooks got physical with these devices, they could play doctor with patient data or install the digital equivalent of a cardiac arrest. Time to patch these technological heart murmurs before they lead to a full-blown data breach code blue!

Key Points:

  • GE HealthCare’s Vivid Ultrasound machines have a bouquet of security flaws ripe for exploitation, including the potential for ransomware and patient data manipulation.
  • The worst offender, CVE-2024-27107, is a heart-stopper with hard-coded credentials, allowing for unauthorized access.
  • Creativity in chaos: Attackers could leverage USB ports for a speedy, automated attack, or use stolen VPN credentials for a more stealthy approach.
  • GE HealthCare insists that your average cyber villain needs physical access to the machines, reducing the risk of someone remotely turning your ultrasound into a brick.
  • It’s not just ultrasounds feeling under the weather – DICOM services and IoT devices like baby monitors have also caught the security flaw flu.
Title: Owlet Camera OS command injection
Cve id: CVE-2023-6321
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 05/15/2024
Cve description: A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability.

Title: Path traversal vulnerability in “deleteFiles” function of Common Service Desktop, a GE HealthCare ultrasound device component
Cve id: CVE-2024-1629
Cve state: PUBLISHED
Cve assigner short name: GEHC
Cve date updated: 05/14/2024
Cve description: Path traversal vulnerability in “deleteFiles” function of Common Service Desktop, a GE HealthCare ultrasound device component

Title: Elevation of privilege vulnerability in GE HealthCare EchoPAC products
Cve id: CVE-2024-27110
Cve state: PUBLISHED
Cve assigner short name: GEHC
Cve date updated: 05/14/2024
Cve description: Elevation of privilege vulnerability in GE HealthCare EchoPAC products

Cve id: CVE-2024-23914
Cve state: PUBLISHED
Cve assigner short name: Nozomi
Cve date updated: 05/03/2024
Cve description: Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows. When MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception.

Cve id: CVE-2020-6977
Cve state: PUBLISHED
Cve assigner short name: icscert
Cve date updated: 02/20/2020
Cve description: A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality of affected devices. Specially crafted inputs can allow the user to escape the restricted environment, resulting in access to the underlying operating system. Affected devices include the following GE Ultrasound Products: Vivid products - all versions; LOGIQ - all versions not including LOGIQ 100 Pro; Voluson - all versions; Versana Essential - all versions; Invenia ABUS Scan station - all versions; Venue - all versions not including Venue 40 R1-3 and Venue 50 R4-5

Cve id: CVE-2024-23912
Cve state: PUBLISHED
Cve assigner short name: Nozomi
Cve date updated: 05/03/2024
Cve description: Out-of-bounds Read vulnerability in Merge DICOM Toolkit C/C++ on Windows. When MC_Open_File() function is used to read a malformed DICOM data, it might result in over-reading memory buffer and could cause memory access violation.

Cve id: CVE-2022-23450
Cve state: PUBLISHED
Cve assigner short name: siemens
Cve date updated: 04/12/2022
Cve description: A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.

Title: ThroughTek Kalay SDK error in handling the PSK identity
Cve id: CVE-2023-6324
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 05/15/2024
Cve description: ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity

Title: Weak account password in GE HealthCare EchoPAC products
Cve id: CVE-2024-27107
Cve state: PUBLISHED
Cve assigner short name: GEHC
Cve date updated: 05/14/2024
Cve description: Weak account password in GE HealthCare EchoPAC products

Title: OS command injection vulnerabilities in GE HealthCare ultrasound devices
Cve id: CVE-2024-1628
Cve state: PUBLISHED
Cve assigner short name: GEHC
Cve date updated: 05/14/2024
Cve description: OS command injection vulnerabilities in GE HealthCare ultrasound devices

Title: Path traversal vulnerability in “getAllFolderContents” function of Common Service Desktop, a GE HealthCare ultrasound device component
Cve id: CVE-2024-1630
Cve state: PUBLISHED
Cve assigner short name: GEHC
Cve date updated: 05/14/2024
Cve description: Path traversal vulnerability in “getAllFolderContents” function of Common Service Desktop, a GE HealthCare ultrasound device component

Cve id: CVE-2024-23913
Cve state: PUBLISHED
Cve assigner short name: Nozomi
Cve date updated: 05/03/2024
Cve description: Use of Out-of-range Pointer Offset vulnerability in Merge DICOM Toolkit C/C++ on Windows. When deprecated MC_XML_To_Message() function is used to read a malformed DICOM XML file, it might result in memory access violation.

Need to know more?

Ultrasound's Unwanted Echoes:

These GE ultrasounds are singing a dangerous tune, with security issues affecting both the Vivid T9 system and the EchoPAC software. Imagine a nefarious character waltzing into a hospital, cozying up to an ultrasound machine, and then giving it a ransomware makeover. Not the kind of 'echo' doctors were hoping for.

The Chain of (Exploitative) Events:

Nozomi Networks lays out an exploit chain like they're narrating a hacker's heist movie. First, the local access sneak-in via CVE-2020-6977, followed by the grand finale of code execution with CVE-2024-1628. But wait, there's more! For the hacker in a hurry, why not plug in a malicious USB that types faster than a caffeinated coder?

A Hospital's Cyber Hygiene:

GE HealthCare's response is the cybersecurity equivalent of "you'll be fine as long as you don't fall off the bike." They believe that the risk is as slim as a stethoscope line on a flatlining EKG because you need physical access to the machine. But let's be real, in the world of security, "unlikely" is just a challenge waiting to be accepted by hackers worldwide.

When One Flaw Leads to Another:

The article doesn't just drop the mic with the ultrasounds; it gives us an encore with a nod to other recent vulnerabilities. Merge DICOM Toolkit for Windows? Check. Siemens SIMATIC Energy Manager product? Check. ThroughTek Kalay Platform in innocent IoT devices? Triple check. It's like a cybersecurity variety show, but instead of applause, we get patches.

Privacy on the Precipice:

What's scarier than a horror movie about haunted baby monitors? Realizing that the ThroughTek Kalay platform on your actual baby monitor could be a playground for hackers. Bitdefender gives us the creeps by revealing how these IoT devices could fall victim to privilege escalation, making every parent's privacy nightmare a potential reality.

And there you have it, folks – our digital world's health checkup leaves much to be desired. It's time for all of us to roll up our sleeves and get to work on these cyber-immune systems. Because in the grand hospital of life, nobody wants their machines turning against them – especially not the ones that go 'beep.'

Tags: EchoPAC Exploits, GE Healthcare Vulnerabilities, Hard-Coded Credentials, Medical Device Security, Ransomware Threats, Siemens SIMATIC Flaw, ThroughTek Kalay Weaknesses