Security researchers have revealed nearly a dozen security vulnerabilities affecting GE HealthCare’s Vivid Ultrasound product line, which could be exploited by malicious actors to tamper with patient data or even install ransomware in some cases.
“The impact of these flaws is manifold: from planting ransomware on ultrasound machines to accessing and manipulating vulnerable devices,” operational technology (OT) security vendor Nozomi Networks said in a technical report. Patient data stored on.
These security issues affect the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, which is exposed on the device’s local host interface and allows users to perform administrative operations.
They also affect another software program called EchoPAC, which is installed on doctors’ Windows workstations and helps them access multidimensional echo, vascular and abdominal ultrasound images.
That being said, successful exploitation of these flaws requires the threat actor to first gain access to the hospital environment and physically interact with the device, which can then be leveraged to achieve arbitrary code execution with administrative privileges.
In a hypothetical attack scenario, a malicious actor could target the Vivid T9 system by planting a ransomware payload and even steal or tamper with patient data.
The most severe vulnerability is CVE-2024-27107 (CVSS score: 9.6), which involves the use of hard-coded credentials. Other discovered flaws involve command injection (CVE-2024-1628), execution with unnecessary privileges (CVE-2024-27110 and CVE-2020-6977), path traversal (CVE-2024-1630 and CVE-2024-1629) ) and protection mechanism failure (CVE-2020-6977).
An exploit chain designed by Nozomi Networks exploits CVE-2020-6977 to gain local access to a device and then weaponizes CVE-2024-1628 to achieve code execution.
“However, in order to speed up the process, […] An attacker could also abuse an exposed USB port and connect a malicious thumb drive, simulating a keyboard and mouse to automatically perform all the necessary steps faster than a human can,” the company said.
Alternatively, an attacker could use stolen VPN credentials collected through other means (such as phishing or data exfiltration) to gain access to the hospital’s internal network, scan for vulnerable installations of EchoPAC, and then exploit the CVE – 2024-27107 to gain unrestricted access to the hospital’s intranet.
In a series of recommendations, GE Healthcare said “existing mitigations and controls” reduce the risks posed by these deficiencies to acceptable levels.
“In the unlikely event that a malicious actor with physical access could render the device unusable, the intended user of the device would have clear instructions,” it states. “This vulnerability can only be exploited by direct physical access People who access the device exploit.”
A few weeks ago, security vulnerabilities that could be used to trigger a denial of service (DoS) were also discovered in the Merge DICOM Toolkit for Windows (CVE-2024-23912, CVE-2024-23913, and CVE-2024-23914).This issue has been resolved in v5.18 version [PDF] Library’s.
It also discovered one of the most serious security vulnerabilities (CVE-2022-23450, CVSS score: 10.0) in Siemens SIMATIC Energy Manager (EnMPro) products. This vulnerability can be used by remote attackers to execute arbitrary code with system privileges to send malicious messages. Made object.
“An attacker who successfully exploited this vulnerability could remotely execute code and take full control of the EnMPro server,” said Claroty security researcher Noam Moshe.
Users are strongly recommended to update to V7.3 Update 1 or above, as previous versions have insecure deserialization vulnerabilities.
Security vulnerabilities (from CVE-2023-6321 to CVE-2023-6324) have also been discovered in the ThroughTek Kalay platform integrated into Internet of Things (IoT) devices, which could allow attackers to escalate privileges, execute commands as root, and establish connections with victim devices Connection.
Romanian cybersecurity company Bitdefender said: “When linked together, these vulnerabilities can facilitate unauthorized root access within the local network, as well as remote code execution to completely compromise the victim’s device.” “Only when accessed from the local network Remote code can only be executed after the device is detected.”
The vulnerabilities, which were patched in April 2024 after being responsibly disclosed in October 2023, were found to affect baby monitors and indoor security cameras from vendors such as Owlet, Roku, and Wyze, allowing threat actors to daisy-chain They are connected to execute commands on any operating device.
“The impact of these vulnerabilities goes well beyond theoretical exploitation as they directly impact the privacy and security of users who rely on ThroughTek Kalay devices,” the company added.
2 Comments
Pingback: Researchers find 11 security vulnerabilities in GE HealthCare ultrasound machines – Tech Empire Solutions
Pingback: Researchers find 11 security vulnerabilities in GE HealthCare ultrasound machines – Paxton Willson