10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
79.7%
This advisory was originally posted to the HSIN ICS-CERT library on February 6, 2018, and is being released to the NCCIC/ICS-CERT website.
Independent researcher Scott Erven submitted information regarding the potential use of default or hard-coded credentials in multiple GE Healthcare products. Following the researcherβs report, GE performed a self-assessment and validated that multiple GE Healthcare products use default or hard-coded credentials. GE has reviewed capability to change passwords identified by the researcher within the product documentation, and users are advised to contact GE Service for assistance in changing passwords.
Vulnerability information about the affected products is publicly available.
The following GE Healthcare products are affected:
Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC recommends that organizations evaluate the impact of this vulnerability based on their operational environment and specific clinical usage.
GE Healthcare is a U.S.-based company that maintains offices in several countries around the world.
According to GE, the affected products are deployed across the Healthcare and Public Health sector. GE estimates that most of these products are used worldwide; however, the Optima 680, the Image Vault 3.x, and the THUNIS-800+ have very limited or no usage in the United States or Canada.
The affected devices use default or hard-coded credentials.
For the affected products, a CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
This vulnerability could be exploited remotely.
Vulnerability information about the affected products is publicly available.
An attacker with a low skill level would be able to exploit this vulnerability.
GE has produced product updates that are available upon request, which replace default or hard-coded credentials with custom credentials for all but three of the affected products. GEβs product updates are not available for the Optima 680, Revolution XQ/i, and THUNIS-800+ systems.
NCCIC recommends that users take additional defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
GE Healthcare provides updates on vulnerability management and other security information at the following URL:
<http://www3.gehealthcare.com/en/support/security>
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1594
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2446
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1603
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2777
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6757
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5143
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5306
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5307
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5309
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5310
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5322
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6660
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6693
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6694
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6695
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7404
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7442
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7232
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7233
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14004
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14004
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14006
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14008
www3.gehealthcare.com/en/support/security
cwe.mitre.org/data/definitions/287.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=GE%20Medical%20Devices%20Vulnerability+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-037-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-037-02&title=GE%20Medical%20Devices%20Vulnerability
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-037-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-037-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=GE%20Medical%20Devices%20Vulnerability&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-18-037-02
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
79.7%