11 Vulnerabilities Discovered in GE HealthCare Ultrasound Products
About 12 vulnerabilities were discovered in GE HealthCare Vivid Ultrasound devices that threat actors can exploit to access and modify patient information, and possibly install ransomware to make the devices inaccessible. Researchers at the Operational Technology (OT) vendor Nozomi Networks identified the vulnerabilities while reviewing the GE HealthCare Vivid Ultrasound family and the companion software program is utilized to evaluate the created medical information. The primary focus of the analysis was the EchoPAC software, the Vivid T9 ultrasound system, and its pre-installed Common Service Desktop web app.
The researchers discovered 11 vulnerabilities that impact different systems and software solutions. They reported the vulnerabilities to GE HealthCare. GE HealthCare released an announcement stating that current controls minimize the risks of vulnerability exploitation to an acceptable degree, and offer standard cybersecurity strategies, like limiting physical access to the devices. Patches were made available to resolve the vulnerabilities. Customers can access the patches through the GE HealthCare Product Security Portal.
The impacted devices include:
- Vivid products, excluding EchoPAC: All versions
- LOGIQ, excluding LOGIQ 100 Pro: All versions
- Voluson, excluding ImageVault: All versions
- Versana Essential: All versions
- Invenia ABUS Scan station, excluding VScan product line: All versions
- Venue, excluding Venue 40 R1-3 and Venue 50 R4-5: All versions
An attacker can exploit the vulnerabilities by accessing a vulnerable device in the hospital environment. An attacker might need to use an embedded keyboard and trackpad, which restricts the chance of exploitation. In case of successful vulnerability exploitation, an attacker can have administrative privileges for arbitrary code execution.
Considering that administrative privileges could be acquired, security protections on the Windows operating system can be deactivated. The researchers showed that proof-of-concept ransomware can be used to make the Vivid T9 devices non-operational, and workstations operating Echopac. For Echopac and Vivid T9, settings could be circumvented to access and control all patient information saved in the connected SQL Anywhere database.
The 11 vulnerabilities are
- CVE-2024-27107 – The vulnerability with the greatest security score is a critical vulnerability with a 9.6 CVSS score and is a result of using hard-coded credentials.
- CVE-2020-6977 – This vulnerability with 8.4 CVSS is due to a protection mechanism failure that enables a threat actor to evade the kiosk mode functionality and gain access to the root operating system
- CVE-2024-1628 with 8.4 CVSS score is a command injection vulnerability
- CVE-2024-27110 with 8.4 CVSS score and CVE-2024-1486 with 7.4 CVSS score are elevation of privilege vulnerabilities
- CVE-2024-1630 with 7.7 CVSS score and CVE-2024-1629 with 6.2 CVSS score are path traversal vulnerabilities
- CVE-2024-27109 with 7.6 CVSS score is due to insufficiently protected credentials
- CVS-2024-27106 with 5.7 CVSS score is because of non-encryption of sensitive information. Encryption as required by HIPAA can certainly help address this vulnerability.
Zero-Day Vulnerability Used to Install QakBot Malware
Microsoft has introduced a patch to correct vulnerability CVE-2024-30051, a zero-day Windows vulnerability that is exploited during attacks and installs the QakBot malware. Healthcare providers should apply this patch promptly because QakBot is utilized in numerous cyberattacks on the healthcare industry.
QakBot, also known as QBot, was initially discovered in 2008 as a banking trojan utilized for stealing banking details and credentials. The malware has developed through the years into a malware delivery service. Operators work as an initial access brokers, marketing access to breached companies to other attackers, which include ransomware groups. Last summer’s law enforcement operation succeeded in dismantling the QakBot botnet and shut down its infrastructure; but, it was restored and continues to be in operation.
Some threat groups work with the QakBot operators, such as the Black Basta ransomware group. CISA and partners issued a joint cybersecurity advisory warning critical infrastructure organizations concerning Black Basta ransomware attacks. Black Basta is associated with the Ascension ransomware attack, and the group amplified its attacks on the healthcare industry recently.
The heap-based buffer overflow vulnerability is designated a 7.8 CVSS severity score. It increased privilege vulnerability in the core library of Windows DWM (Desktop Windows Manager). An attacker can exploit the vulnerability to obtain SYSTEM privileges.
Researchers at Kaspersky identified the vulnerability CVE-2023-36033 during an investigation. The vulnerability is another elevation of privilege vulnerability in DWM. Microsoft released a patch in December 2023 for this vulnerability. Kaspersky began looking for proof of exploitation and in April 2024 discovered an exploit for the vulnerability. Kaspersky is convinced the vulnerability is exploited by several threat actors to install QakBot and other malware.
CVE-2024-30051 is an actively exploited zero-day vulnerability fixed by Microsoft on May 2024 Patch Tuesday. CVE-2024-30040 is a security feature bypass vulnerability identified in the Windows MSHTML platform. A threat actor can exploit that vulnerability by persuading a user to launch a malicious file on a system without a patch. The file can be uploaded via email or text messenger and the user must be persuaded to respond, although not to click or open the malicious file. The cyberattack can result in remote code execution.
Photo Credit: Bartek – adobestock
