Threat Intel: Critical CVEs Found in GE Imaging and Ultrasound Products

ICS Medical Advisory (ICSMA-20-343-01)
Cynerio
Dec 9, 2020

Advisory Information

CISA released ICS Medical Advisory (ICSMA-20-343-01) on December 8, 2020 citing two major vulnerabilities discovered in a slew of GE radiology products. 

How Do These Vulnerabilities Impact GE Radiology Products?

Both vulnerabilities are remotely exploitable and may enable threat actors to run arbitrary code, jeopardizing device functionality, ePHI security, and patient safety.

  1. CVE-2020-25175 - This vulnerability has a CVSS v3 base score of 9.8 and can expose product access credentials when communications are sent across the network.
  2. CVE-2020-25179 - This vulnerability also has a CVSS v3 base score of 9.8. Similarly, it can expose default credentials and allow access to sensitive data, e.g. ePHI. The vulnerability may also allow threat actors to tamper with and modify data.

Devices & Series Affected

  • MRI - Signa, Brivo, Optima
  • Ultrasounds - LOGIQ, Vivid, EchoPAC, Image Vault, Voluson
  • DICOM Workstation - AW
  • Interventional - Innova, Optima
  • X-Ray - Brivo, Definium, AMX, Discovery, Optima, Precision
  • Mammography - Seno, Essential, Senographe Pristina
  • CT - BrightSpeed, Brivo, Discovery, LightSpeed, Optima Advance, Revolution
  • Nuclear Medicine - Brivo, Discovery, Infinia, Optima, Ventri, Xeleris, PET Discovery, PETrace

How Can Cynerio Help Mitigate the Threat?

While GE actively works to update default passwords on affected devices and recommends reconfiguring the products’ firewall security, Cynerio can help healthcare facilities implement proactive, preemptive and healthcare-safe Zero Trust security measures to further protect your Healthcare IoT networks:

  1. Identify every affected device across your networks, locate, and flag them
  2. Quickly and safely apply North-South and East-West segmentation policies
  3. Micromanage risks on specific ports with Cynerio’s Service Hardening capability to configure access rules according to every communication’s source and destination IP/ports (e.g. TELNET, FTP, REXEC, SSH)
  4. Manage all vendor and third-party connections, with full visibility and control into which vendors are connecting to which devices to conduct specific services/activities with our Vendor Access Management capability 

Other Helpful Resources

https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01

https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B

https://www.gehealthcare.com/en-US/security 


In support of CISA’s National Cyber Awareness Month, we’re offering healthcare facilities across North American a free risk assessment until December 31. To get your free risk assessment, contact us today.


Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability