ID CVE-2003-1603 Type cve Reporter cve@mitre.org Modified 2018-03-28T01:29:00
Description
GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors.
{"ics": [{"lastseen": "2019-07-19T15:42:00", "bulletinFamily": "info", "description": "## OVERVIEW\n\nThis advisory was originally posted to the HSIN ICS-CERT library on February 6, 2018, and is being released to the NCCIC/ICS-CERT website.\n\nIndependent researcher Scott Erven submitted information regarding the potential use of default or hard-coded credentials in multiple GE Healthcare products. Following the researcher\u2019s report, GE performed a self-assessment and validated that multiple GE Healthcare products use default or hard-coded credentials. GE has reviewed capability to change passwords identified by the researcher within the product documentation, and users are advised to contact GE Service for assistance in changing passwords.\n\nVulnerability information about the affected products is publicly available.\n\n## AFFECTED PRODUCTS\n\nThe following GE Healthcare products are affected:\n\n * Optima 520, which are medical imaging systems, all versions,\n * Optima 540, which are medical imaging systems, all versions,\n * Optima 640, which are medical imaging systems, all versions,\n * Optima 680, which are medical imaging systems, all versions,\n * Discovery NM530c, which is a nuclear medical imaging system, versions prior to Version 1.003,\n * Discovery NM750b, which is a dedicated breast imaging system, versions prior to Version 2.003,\n * Discovery XR656 and Discovery XR656 Plus, which are digital radiographic imaging systems, all versions,\n * Revolution XQ/i, which is a medical imaging system, all versions,\n * THUNIS-800+, which is a stationary diagnostic radiographic and fluoroscopic X-ray system, all versions,\n * Centricity PACS Server, which is used to support a medical imaging archiving and communication system, all versions,\n * Centricity PACS RA1000, which is used for diagnostic image analysis, all versions,\n * Centricity PACS-IW, which is an integrated web-based system for medical imaging, all versions including Version 3.7.3.7 and Version 3.7.3.8,\n * Centricity DMS, which is a data management software, all versions,\n * Discovery VH / Millenium VG, which are nuclear medical imaging systems, all versions,\n * eNTEGRA 2.0/2.5 Processing and Review Workstation, which is a nuclear medicine workstation for displaying, archiving, and communicating medical imaging, all versions,\n * CADstream, which is a medical imaging software, all versions,\n * Optima MR360, which is a medical imaging system, all versions,\n * GEMNet License server (EchoServer), all versions,\n * Image Vault 3.x medical imaging software, all versions,\n * Infinia / Infinia with Hawkeye 4 / 1, which are medical imaging systems, all versions,\n * Millenium MG / Millenium NC / Millenium MyoSIGHT, which are nuclear medical imaging systems, all versions,\n * Precision MP/i, which is a medical imaging system, all versions, and\n * Xeleris 1.0 / 1.1 / 2.1 / 3.0 / 3.1, which are medical imaging workstations, all versions.\n\n## IMPACT\n\nSuccessful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC recommends that organizations evaluate the impact of this vulnerability based on their operational environment and specific clinical usage.\n\n## BACKGROUND\n\nGE Healthcare is a U.S.-based company that maintains offices in several countries around the world.\n\nAccording to GE, the affected products are deployed across the Healthcare and Public Health sector. GE estimates that most of these products are used worldwide; however, the Optima 680, the Image Vault 3.x, and the THUNIS-800+ have very limited or no usage in the United States or Canada.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nThe affected devices use default or hard-coded credentials.\n\n * [CVE-2010-5306](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5306>) has been assigned to the GE Optima 520, 540, 640, and 680.\n * [CVE-2009-5143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5143>) has been assigned to the GE Discovery NM530c.\n * [CVE-2013-7404](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7404>) has been assigned to the GE Discovery NM750b.\n * [CVE-2014-7232](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7232>) has been assigned to the GE Discovery XR656 and Discovery XR656 Plus.\n * [CVE-2010-5310](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5310>) has been assigned to the GE Revolution XQ/i.\n * [CVE-2014-7233](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7233>) has been assigned to the GE THUNIS-800+.\n * [CVE-2012-6693](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6693>), [CVE-2012-6694](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6694>), [CVE-2012-6695](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6695>), and [CVE-2013-7442](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7442>) have been assigned to the GE Centricity PACS Server.\n * [CVE-2017-14008](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14008>) has been assigned to the GE Centricity PACS RA1000 workstation.\n * [CVE-2011-5322](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5322>) has been assigned to the GE Centricity PACS-IW.\n * [CVE-2007-6757](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6757>) has been assigned to the GE Centricity DMS.\n * [CVE-2003-1603](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1603>) has been assigned to the GE Discovery VH and Millenium VG.\n * [CVE-2001-1594](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1594>) has been assigned to the GE eNTEGRA 2.0/2.5 Processing and Review Workstation.\n * [CVE-2010-5309](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5309>) has been assigned to the GE CADstream.\n * [CVE-2010-5307](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5307>) has been assigned to the GE Optima MR360.\n * [CVE-2017-14004](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14004>) has been assigned to the GE GEMNet License server (EchoServer).\n * [CVE-2004-2777](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2777>) has been assigned to the GE Image Vault 3.x.\n * [CVE-2017-14002](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14004>) has been assigned to the GE Infinia / Infinia with Hawkeye 4.\n * [CVE-2002-2446](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2446>) has been assigned to the GE Millenium MG / Millenium NC / Millenium MyoSIGHT.\n * [CVE-2012-6660](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6660>) has been assigned to GE Precision MP/i.\n * [CVE-2017-14006](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14006>) has been assigned to GE Xeleris 1.0/1.1/2.1/3.0/3.1.\n\nFor the affected products, a CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>))\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThis vulnerability could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nVulnerability information about the affected products is publicly available.\n\n#### DIFFICULTY\n\nAn attacker with a low skill level would be able to exploit this vulnerability.\n\n## MITIGATION\n\nGE has produced product updates that are available upon request, which replace default or hard-coded credentials with custom credentials for all but three of the affected products. GE\u2019s product updates are not available for the Optima 680, Revolution XQ/i, and THUNIS-800+ systems.\n\nNCCIC recommends that users take additional defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Close all unused ports on affected systems.\n * Where possible, discontinue or limit the use of non-product-related third-party software, such as email and web browser software on the affected system, which could broaden the attack surface of medical devices.\n * Ensure that affected systems have applied the most current vendor-issued patches available.\n * Restrict network access to affected systems and ensure they are not directly accessible from the Internet.\n * Follow good network design practices, such as implementing network segmentation, and use DMZs with properly configured firewalls to selectively control, and monitor all traffic passed between zones and systems.\n * Monitor and log all network traffic attempting to reach affected products for suspicious activity.\n * When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nGE Healthcare provides updates on vulnerability management and other security information at the following URL: \n\n<http://www3.gehealthcare.com/en/support/security>\n\nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2018-03-13T00:00:00", "published": "2018-03-13T00:00:00", "id": "ICSMA-18-037-02", "href": "https://www.us-cert.gov//ics/advisories/ICSMA-18-037-02", "title": "GE Medical Devices Vulnerability", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
