GE Medical Devices Vulnerability
Act Now9.8ICS-CERT ICSMA-18-037-02Feb 6, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
GE medical imaging devices and related clinical software contain a default/hard-coded credential vulnerability that allows remote attackers to bypass authentication (CWE-287). Successful exploitation grants unauthorized access to affected devices. GE has released product updates that replace default credentials with custom ones for most affected products, but updates are not available for Optima 680, Revolution XQ/i, and THUNIS-800+ systems.
What this means
What could happen
An attacker could bypass authentication on medical imaging and related devices, gaining unauthorized access to patient data, treatment parameters, and critical imaging systems. This could lead to tampering with diagnostic results, theft of protected health information, or denial of service to clinical operations.
Who's at risk
Healthcare facilities using GE medical imaging and related clinical systems including CT scanners (Optima, Discovery, Revolution, Infinia), nuclear imaging systems (Millennium, Millenium VG, Infinia with Hawkeye), PET/SPECT systems, PACS servers, and imaging workstations. This affects diagnostic imaging departments and radiology information systems.
How it could be exploited
An attacker on the network (or remotely if the devices are internet-connected) sends requests to the affected medical device using default or hard-coded credentials. The device accepts the authentication bypass, allowing the attacker to log in without valid credentials and access administrative functions.
Prerequisites
- Network access to the medical imaging device (can be local network or internet if port-forwarded)
- No valid user credentials required
- Device running any affected software version
Remotely exploitable over networkNo authentication required (default/hard-coded credentials)Low complexity to exploitAffects medical imaging devices handling patient dataNo fix available for three critical systems (Optima 680, Revolution XQ/i, THUNIS-800+)All versions affected
Exploitability
Moderate exploit probability (EPSS 8.9%)
Affected products (32)
22 with fix10 EOL
ProductAffected VersionsFix Status
Optima 520: *All versionsNo fix (EOL)
Optima 540: *All versionsNo fix (EOL)
Optima 640: *All versionsNo fix (EOL)
Optima 680: *All versionsNo fix (EOL)
Discovery NM530c: < 1.003< 1.003No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDFor all affected devices: Disable remote administrative access and require in-person or VPN-authenticated access for device administration
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXRequest and apply GE product updates to replace default/hard-coded credentials with custom credentials
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Optima 520: *, Optima 540: *, Optima 640: *, Optima 680: *, Discovery NM530c: < 1.003, Discovery NM750b: < 2.003, Revolution XQ/i: *, THUNIS-800+: *, Discovery XR656: *, Discovery XR656 Plus: *. Apply the following compensating controls:
HARDENINGFor Optima 680, Revolution XQ/i, and THUNIS-800+: Implement network segmentation to isolate devices from untrusted networks and restrict administrative access to authorized engineering workstations only
HARDENINGMonitor network traffic to affected devices for unusual login attempts or data exfiltration
CVEs (23)
CVE-2010-5306CVE-2009-5143CVE-2013-7404CVE-2014-7232CVE-2010-5310CVE-2014-7233CVE-2012-6693CVE-2012-6694CVE-2012-6695CVE-2013-7442CVE-2017-14008CVE-2011-5322CVE-2007-6757CVE-2003-1603CVE-2001-1594CVE-2010-5309CVE-2010-5307CVE-2017-14004CVE-2004-2777CVE-2017-14002CVE-2002-2446CVE-2012-6660CVE-2017-14006
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/36277bff-3c86-4749-8f49-542ff2391d16