May 16, 2024 at 06:42AM
Security researchers disclosed almost a dozen vulnerabilities affecting GE HealthCare Vivid Ultrasound products, posing risk of ransomware implantation and patient data manipulation. Vulnerabilities require physical access to devices and range from hard-coded credentials to path traversal. Exploit chain can be used to execute arbitrary code. Other recent security flaws have been found in Merge DICOM Toolkit, Siemens SIMATIC Energy Manager, and ThroughTek Kalay Platform.
Based on the meeting notes, the key takeaways are:
– Security researchers disclosed almost a dozen security flaws impacting the GE HealthCare Vivid Ultrasound product family, potentially leading to patient data tampering and even ransomware installation under specific circumstances.
– The vulnerabilities affect the Vivid T9 ultrasound system, its pre-installed Common Service Desktop web application, and a software program called EchoPAC installed on a doctor’s Windows workstation.
– Successful exploitation of the flaws requires physical access to the hospital environment and the devices.
– Nozomi Networks identified several vulnerabilities including the most severe one – CVE-2024-27107 with a CVSS score of 9.6.
– GE HealthCare has advised that existing mitigations and controls reduce the risks posed by these flaws to acceptable levels, and would clearly indicate in case of a malicious actor rendering the device unusable.
– Similar security flaws have been discovered in other products such as the Merge DICOM Toolkit for Windows, Siemens SIMATIC Energy Manager, and ThroughTek Kalay Platform integrated within IoT devices, bringing to light the importance of addressing security vulnerabilities across a variety of healthcare and IoT technologies.
I hope this summary helps to capture the essential points from the meeting notes. Let me know if there’s anything else you need.