Safety researchers have disclosed virtually a dozen safety flaws impacting the GE HealthCare Vivid Ultrasound product household that could possibly be exploited by malicious actors to tamper with affected person knowledge and even set up ransomware below sure circumstances.
“The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices,” operational expertise (OT) safety vendor Nozomi Networks stated in a technical report.
The safety points affect the Vivid T9 ultrasound system and its pre-installed Widespread Service Desktop net software, which is uncovered on the localhost interface of the gadget and permits customers to carry out administrative actions.
In addition they have an effect on one other software program program referred to as EchoPAC that is put in on a physician’s Home windows workstation to assist them entry multi-dimensional echo, vascular, and belly ultrasound photographs.
That being stated, profitable exploitation of the failings requires a risk actor to first achieve entry to the hospital atmosphere and bodily work together with the gadget, after which they are often exploited to attain arbitrary code execution with administrative privileges.
In a hypothetical assault situation, a malicious actor might lock out the Vivid T9 programs by implanting a ransomware payload and even exfiltrate or tamper with affected person knowledge.
Essentially the most extreme of the vulnerabilities is CVE-2024-27107 (CVSS rating: 9.6), which considerations using hard-coded credentials. Different recognized shortcomings relate to command injection (CVE-2024-1628), execution with pointless privileges (CVE-2024-27110 and CVE-2020-6977), path traversal (CVE-2024-1630 and CVE-2024-1629), and safety mechanism failure (CVE-2020-6977).
The exploit chain devised by Nozomi Networks combines CVE-2020-6977 to get native entry to the gadget after which weaponizes CVE-2024-1628 to achieve code execution.
“However, to speed up the process, […] an attacker may also abuse the exposed USB port and attach a malicious thumb drive that, by emulating the keyboard and mouse, automatically performs all necessary steps at faster-than-human speed,” the corporate stated.
Alternatively, an adversary might get hold of entry to a hospital’s inner community utilizing stolen VPN credentials gathered by way of different means (e.g., phishing or knowledge leak), scan for weak installations of EchoPAC, after which exploit CVE-2024-27107 to achieve unfettered entry to the affected person’s database, successfully compromising its confidentially, integrity, and availability.
GE HealthCare, in a set of advisories, stated “existing mitigations and controls” cut back the dangers posed by these flaws to acceptable ranges.
“In the unlikely event a malicious actor with physical access could render the device unusable, there would be clear indicators of this to the intended user of the device,” it famous. “The vulnerability can only be exploited by someone with direct, physical access to the device.”
The disclosure comes weeks after safety flaws have been additionally uncovered within the Merge DICOM Toolkit for Home windows (CVE-2024-23912, CVE-2024-23913, and CVE-2024-23914) that might used to set off a denial-of-service (DoS) situation on the DICOM service. The problems have been addressed in model v5.18 [PDF] of the library.
It additionally follows the invention of a maximum-severity safety flaw within the Siemens SIMATIC Vitality Supervisor (EnMPro) product (CVE-2022-23450, CVSS rating: 10.0) that could possibly be exploited by a distant attacker to execute arbitrary code with SYSTEM privileges by sending maliciously crafted objects.
“An attacker successfully exploiting this vulnerability could remotely execute code and gain complete control over an EnMPro server,” Claroty safety researcher Noam Moshe stated.
Customers are extremely really helpful to replace to model V7.3 Replace 1 or later as all variations previous to it comprise the insecure deserialization vulnerability.
Safety weaknesses have additionally been unearthed within the ThroughTek Kalay Platform built-in inside Web of Issues (IoT) units (from CVE-2023-6321 by means of CVE-2023-6324) that enables an attacker to escalate privileges, execute instructions as root, and set up a reference to a sufferer gadget.
“When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote code execution to completely subvert the victim device,” Romanian cybersecurity firm Bitdefender stated. “Remote code execution is only possible after the device has been probed from the local network.”
The vulnerabilities, patched as of April 2024 following accountable disclosure in October 2023, have been discovered to affect child displays, and indoor safety cameras from distributors like Owlet, Roku, and Wyze, allowing risk actors to daisy-chain them with the intention to execute arbitrary instructions on the units.
“The ramifications of these vulnerabilities extend far beyond the realm of theoretical exploits, as they directly impact on the privacy and safety of users relying on devices powered by ThroughTek Kalay,” the corporate added.
