Vulnerabilities on GE HealthCare Vivid Ultrasound Could Allow Malicious Insiders to Locally Install Ransomware, Access and Manipulate Patient Data

Vulnerabilities on GE HealthCare Vivid Ultrasound Could Allow Malicious Insiders to Locally Install Ransomware, Access and Manipulate Patient Data

In an effort to increase the resilience of medical systems, Nozomi Networks Labs has conducted research on a device from the GE HealthCare Vivid Ultrasound family, as well as the companion software used to review the generated medical data.

In this blog, we announce the discovery of a total of 11 vulnerabilities affecting several systems and software from GE HealthCare. The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices. All of these scenarios could have repercussions to the hospital workflow or to the security of the medical data being processed. However, to perform these steps, physical interaction with the device is required because the attacker needs to operate with the embedded keyboard and trackpad.

Patches and mitigations for the identified vulnerabilities are available in the GE HealthCare Product Security Portal. As usual, our Threat Intelligence feed has been updated to provide our customers with both detection strategies for the exploitation of the issues and the identification of affected components.

Research Scope

GE HealthCare features an extensive range of ultrasound systems designed to target a wide variety of patient needs. We investigated the security of the Vivid family, a comprehensive suite of medical imaging systems conceived for cardiovascular care. More specifically, our attention was directed towards the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, along with the EchoPAC software.

The Vivid T9 (Figure 1) is an ultrasound system specialized for cardiac ultrasound imaging. It can also act as a general-purpose ultrasound solution for the imaging, measurement, display, and analysis of the human body and fluid, for instance vascular or abdominal exams.

Under the hood, the Vivid T9 embeds a fully-fledged desktop PC running a version of Microsoft Windows 10 customized by GE HealthCare. Most of the device logic is managed by applications or scripts running on it, including the graphical user interface displayed on the monitors. Notably, the GUI is designed to restrict operators from accessing the underlying Windows OS (similar to a “kiosk” mode), except for a few Windows functionalities that are directly reachable.

Figure 1. The Vivid T9 ultrasound system.

Similar to other devices from GE HealthCare, the Vivid T9 comes with a pre-installed Common Service Desktop web application (Figure 2). Common Service Desktop is an accessory management web application running on the embedded Windows system that allows administrative tasks to be performed, such as changing device passwords, gathering logs, starting network captures, etc. This web application is only exposed on the localhost interface of the device.

Figure 2. The Common Service Desktop web application.

Finally, EchoPAC Software Only (Figure 3) is a clinical software package that is usually installed on doctors’ Windows workstation and is used as a comprehensive reviewing station of multi-dimensional echo, vascular, and abdominal ultrasound images. It provides both viewing and measurable analysis abilities for 2D, 4D, and multidimensional ultrasound parametric images from the GE HealthCare Vivid family of scanners, as well as DICOM images from other ultrasound systems. To enable these dataflows with the ultrasound machine, it performs the following actions:

  • Installs new listeners for DICOM and the companion SQL Anywhere DBMS communications;
  • Creates new Windows users for SMB transmissions, as documented in the manuals.
Figure 3. The EchoPAC PC Software-Only client application.

What Are the Impacts of These Vulnerabilities?

Inside each of the above targets, we identified several vulnerabilities that, after gaining access to the hospital environment and device, could be exploited to ultimately achieve arbitrary code execution with administrative privileges (i.e., NT AUTHORITY\SYSTEM) through different attack vectors (more on this in the “Vulnerability Spotlight” section below). By exploiting these issues, the following attack scenarios can be enacted:

  • Ransomware: in a similar fashion to previous research conducted by Nozomi Networks Labs, we successfully verified the ability to lock the Vivid T9 by means of a proof-of-concept ransomware. After physically accessing the device and removing all Windows security protections (which was possible due to the full privileges obtained), we were able to disrupt the device logic while simultaneously showing a picture on the screen asking for the payment of a ransom (Figure 4). A similar payload may also be executed against a doctor’s workstation running Echopac.
Figure 4. A PoC ransomware running on the Vivid T9.
  • Access and Manipulation of Patient Data: having achieved code execution with full privileges on a target system, nothing can stop an attacker from accessing and even manipulating all patient data stored on it. For instance, when considering Echopac, all patient data is stored in the companion SQL Anywhere. These databases can be easily accessed after exfiltrating and loading the file in a compatible client (Figure 5), or, even more simply, by sending SQL commands to the exposed network port. Again, the same weaknesses and conclusions apply for the Vivid T9.
Figure 5. Exfiltration of patient data from the Echopac database.

General Considerations for Vulnerabilities in Healthcare

Having explored the immediate consequences of exploiting the vulnerabilities listed above, here are a few broad reflections on the aftermath of a cyberattack targeting a healthcare provider where, unlike this scenario, an internet facing device is targeted.

Consider a scenario where a primary healthcare facility in a major city is targeted by a cyberattack. It's important to recognize that all kinds of medical devices, not limited to the ones mentioned above, supplied by various vendors and often plagued by security weaknesses, could be appealing targets for malicious actors, thus serving as potential entry points for broader cyberattacks. Should the facility fall victim to such an attack, the consequences would be severe and multifaceted. Medical infrastructure, crucial for diagnosing and monitoring various conditions, may become inaccessible, potentially delaying critical procedures, hindering accurate diagnoses, and impeding timely treatment. Furthermore, patient confidentiality could be compromised, leading to significant privacy breaches and legal repercussions. Exposed patient data might be misused or sold, posing a serious threat to personal privacy. Additionally, such disruptions could jeopardize the accuracy of diagnoses and treatment plans, potentially harming patients.

Risk managers are required to consider primary consequences of an event or incident, such as the examples given above. To this extent, GE HealthCare has confirmed that their trained medical staff has executed medical safety risk assessment following regulatory expectations and have concluded the associated safety risk is controlled, acceptable or as low as possible. This process is regulated by the US FDA and other regulatory bodies, requires well trained medical staff and a very detailed collection of evidences.

The healthcare industry faces some of the highest average costs to rectify an attack and recovery efforts can be long and complex. Cyber insurance requirements are driving improvements in security infrastructure and policies, however some studies indicate that cyber insurance coverage in healthcare may be lower than other industries.

Healthcare providers balance the costs of compliance, insurance and infrastructure improvement against the risk of attack, the time and financial costs of recovery, and the reputational costs of a breach. While these factors are not unique to healthcare, with human life at stake, the need to maintain privacy and confidentiality is more complex than many other industries. Providing the input and means to manage and maintain this balance is where the expertise of security and risk professionals play a critical role with members of the board and the management of risk and exposure.

Vulnerability List and Affected Versions

The following table lists all vulnerabilities found, ordered by CVSS v3.1 base score.

CVE IDCWECVSS v3.1 Base ScoreCVSS v3.1 Vector
CVE-2024-27107Use of Hard-coded Credentials (CWE-798)9.6CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-6977*Protection Mechanism Failure (CWE-693)8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-1628Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-27110Execution with Unnecessary Privileges (CWE-250)8.4CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2024-1630Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)7.7CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2024-27109Insufficiently Protected Credentials (CWE-522)7.6CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-1486Incorrect Permission Assignment for Critical Resource (CWE-732)7.4CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-27108Incorrect Permission Assignment for Critical Resource (CWE-732)6.8CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-6977*Execution with Unnecessary Privileges (CWE-250)6.4CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-1629Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-27106Missing Encryption of Sensitive Data (CWE-311)5.7CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

* This ID was assigned in 2020 to track a kiosk breakout vulnerability reported by another external team. It has been reused by GE HealthCare to track the Protection Mechanism Failure (CWE-693) and Execution with Unnecessary Privileges (CWE-250) vulnerabilities discovered by Nozomi Networks Labs.

The comprehensive list of all affected configurations can be found in the GE HealthCare Product Security Portal.

Vulnerability Spotlight

As we discussed above, the impacts of these vulnerabilities are all similar – we were able to achieve root arbitrary code execution in all three targets. However, their attack vectors differ: the Vivid T9 requires physical interaction, local access is necessary to abuse Common Service Desktop, whereas code execution against Echopac can be achieved through the local network (“adjacent”).

When running in the default configuration, the most effective way to exploit a vulnerable Vivid T9 is through a two-phase chain that also combines Common Service Desktop:

  1. First, by abusing the Protection Mechanism Failure issue of CVE-2020-6977, to evade the kiosk mode and obtain local access to the device. This allows the Common Service Desktop web application to be reached;
  2. Secondly, by exploiting one of the command injection issues found in Common Service Desktop, tracked under CVE-2024-1628, to attain code execution. SYSTEM privileges are immediately granted due to the Execution with Unnecessary Privileges issue of CVE-2020-6977.

To perform these steps, physical interaction with the device is required because the attacker needs to operate with the embedded keyboard and trackpad. Notably, one of the command injection flaws tracked under CVE-2024-1628 affects an input field that can be exploited by simply typing the command in the input field, as no client-side input validation logic is enforced.

However, to speed up the process, we proved that an attacker may also abuse the exposed USB port and attach a malicious thumb drive that, by emulating the keyboard and mouse, automatically performs all necessary steps at faster-than-human speed. For instance, in our lab, we managed to craft a USB drive that completes the entire chain in about one minute. Given that ultrasound machines are expected to be used in facilities such as hospitals or clinics, which are frequently accessed by external individuals, the likelihood of an attack to a device left unattended for one minute is not only possible, but probable under the right conditions. This attack chain is represented in the diagram in Figure 6.

Figure 6. Example of attack chain resulting in the implant of a ransomware on an ultrasound machine.

On the other hand, when considering vulnerable Echopac installations, the exploitation can be completed by default from the network and without involving any specific credentials. The only requirement is the possibility for an attacker to exchange network packets with the vulnerable software, which usually means having a foothold into the internal network to which the target is connected. Normally, this may be done in a variety of ways: by physically connecting to a network port in an empty office, by abusing a poorly protected wireless network, or by accessing the corporate VPN service from the internet after compromising the password of an employee (e.g., via phishing).

Figure 7 depicts a possible remote attack chain against Echopac that leverages CVE-2024-27107 and concludes with the access or manipulation of data.

Figure 7. Example of attack chain resulting in the access and manipulation of local patient data on an Echopac installation.

Remediations

Asset owners may find all official patches and/or mitigations for the affected configurations in the GE HealthCare Product Security Portal.

Below are additional mitigations provided by Nozomi Networks Labs:

  • Never leave ultrasound devices unattended, even for a short period of time, as just one minute may be enough to implant malware;
  • In all workstations that have Echopac installed, block incoming connections via firewall to SMB and 2638/tcp (SQL Anywhere DB server port) when the workstation is connected to an unprotected network;
  • Generically speaking, ensure proper network segmentation, limit the network communication to only essential traffic.