May 16, 2024 at 03:40PM
Researchers found 11 security flaws in GE’s Vivid Ultrasound products and related software, with severity ranging from 5.7 to 9.6 on the CVSS 3.1 scale. Nozomi Networks detailed potential risks, including remote code execution, but physical access is needed in some cases. GE has patches and mitigations available on its product security portal.
From the meeting notes, I have identified the following key takeaways:
1. Nozomi Networks has discovered 11 security vulnerabilities in GE HealthCare’s Vivid Ultrasound family of products and related software programs.
2. The vulnerabilities include issues such as missing encryption of sensitive data, use of hardcoded credentials, and other security concerns, with severity ranging from 5.7 to 9.6 on the CVSS 3.1 scoring system.
3. The vulnerabilities could lead to remote code execution with full privileges and potential attack scenarios, but the most serious cases require physical access to the devices, reducing the risk for healthcare facilities.
4. Nozomi researchers analyzed three GE creations: the Vivid T9 ultrasound system, the pre-installed Common Service Desktop Web application, and the EchoPAC clinical software package.
5. There are both secure design elements, such as restricted access to certain functionalities, and vulnerabilities, such as the kiosk breakout vulnerability in the Vivid T9 and the hardcoded credentials issue in EchoPAC.
6. Exploiting the vulnerabilities in the devices may require physical access or a foothold in the local area network.
7. Nozomi demonstrated how a specially crafted drive could compromise a T9 in only a minute’s time by plugging it into the exposed USB port.
It is crucial for healthcare facilities to be aware of these vulnerabilities and to take necessary precautions, especially in securing physical access to the devices and implementing the available patches and mitigations provided by GE HealthCare’s product security portal.