Security News > 2020 > January > Critical, Unpatched ‘MDhex’ Bugs Threaten Hospital Devices

Critical, Unpatched ‘MDhex’ Bugs Threaten Hospital Devices
2020-01-23 20:02

A collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals has been discovered.

Dubbed "MDhex" by the researchers at CyberMDX who discovered them, the bugs would allow attackers to disable the devices, harvest personal health information, change alarm settings and alter device functionality.

CVE-2020-6964, which exists in the integrated service for keyboard switching of the affected devices.

CVE-2020-6966 arises from affected products using a weak encryption scheme for remote desktop control, which may allow an attacker to obtain RCE of devices on the network.

The MDhex vulnerabilities were named in reference to the number of CVEs issued and their existence in medical devices, as well as the potential for bad actors to wreak havoc from a distance "As in a witch's hex," Elad Luz, head of research at CyberMDX, told Threatpost.


News URL

https://threatpost.com/critical-mdhex-bugs-ge-medical-devices/152163/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-24 CVE-2020-6966 Inadequate Encryption Strength vulnerability in Gehealthcare products
In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, the affected products utilize a weak encryption scheme for remote desktop control, which may allow an attacker to obtain remote code execution of devices on the network.
network
low complexity
gehealthcare CWE-326
critical
 10.0
10
2020-01-24 CVE-2020-6964 Missing Authentication for Critical Function vulnerability in Gehealthcare products
In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X and CARESCAPE Central Station (CSCS) Versions 2.X, the integrated service for keyboard switching of the affected devices could allow attackers to obtain remote keyboard input access without authentication over the network.
network
low complexity
gehealthcare CWE-306
8.6
8.6