Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data

Nozomi Networks Labs researched Vivid T9, a device from the GE Healthcare Vivid ultrasound family and its associated software for medical data review. The study uncovered 11 vulnerabilities that could allow malicious insiders to install ransomware, and access and manipulate patient data, aiming to bolster the resilience of medical systems against these critical security risks. These vulnerabilities impact various systems and software by GE Healthcare, presenting risks such as ransomware installation on the ultrasound machine and unauthorized access to patient data. 

Nozomi identified that these exploits could disrupt hospital workflows and compromise the security of medical data. Notably, physical interaction with the device is necessary for the attacker to carry out these actions, utilizing the embedded keyboard and trackpad.

“GE HealthCare features an extensive range of ultrasound systems designed to target a wide variety of patient needs. We investigated the security of the Vivid family, a comprehensive suite of medical imaging systems conceived for cardiovascular care,” according to a Nozomi Networks Labs blog post. “More specifically, our attention was directed towards the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, along with the EchoPAC software.”

The Vivid T9 is an ultrasound system specialized for cardiac ultrasound imaging. It can also act as a general-purpose ultrasound solution for the imaging, measurement, display, and analysis of the human body and fluid, for instance, vascular or abdominal exams.

Under the hood, the Vivid T9 embeds a fully-fledged desktop PC running a version of Microsoft Windows 10 customized by GE HealthCare. Most of the device logic is managed by applications or scripts running on it, including the graphical user interface displayed on the monitors. Notably, the GUI is designed to restrict operators from accessing the underlying Windows OS (similar to a ‘kiosk’ mode), except for a few Windows functionalities that are directly reachable.

Similar to other devices from GE HealthCare, the Vivid T9 comes with a pre-installed Common Service Desktop web application, the post detailed. “Common Service Desktop is an accessory management web application running on the embedded Windows system that allows administrative tasks to be performed, such as changing device passwords, gathering logs, starting network captures, etc. This web application is only exposed on the localhost interface of the device,” it added.

Finally, EchoPAC Software Only is a clinical software package that is usually installed on doctors’ Windows workstation and is used as a comprehensive reviewing station of multi-dimensional echo, vascular, and abdominal ultrasound images. It provides both viewing and measurable analysis abilities for 2D, 4D, and multidimensional ultrasound parametric images from the GE HealthCare Vivid family of scanners, as well as DICOM images from other ultrasound systems. 

To enable these dataflows with the ultrasound machine, it Installs new listeners for DICOM and the companion SQL Anywhere DBMS communications; and creates new Windows users for SMB transmissions, as documented in the manuals.

Nozomi said that it identified several vulnerabilities that, after gaining access to the hospital environment and device, could be exploited to achieve arbitrary code execution with administrative privileges (i.e., NT AUTHORITY\SYSTEM) through different attack vectors. 

By exploiting these issues, Nozomi Networks Labs assesses that ransomware and access and manipulation of patient data can be enacted. 

Building on previous research conducted by Nozomi Networks Labs, a successful demonstration showcased the capability to encrypt the Vivid T9 ultrasound machine using a proof-of-concept ransomware approach. “After physically accessing the device and removing all Windows security protections (which was possible due to the full privileges obtained), we were able to disrupt the device logic while simultaneously showing a picture on the screen asking for the payment of a ransom. A similar payload may also be executed against a doctor’s workstation running Echopac,” the post added.

Upon achieving code execution with full privileges on a target system, an attacker can gain unrestricted access to and manipulate all patient data stored within, posing a significant security threat. “For instance, when considering Echopac, all patient data is stored in the companion SQL Anywhere. These databases can be easily accessed after exfiltrating and loading the file in a compatible client or, even more simply, by sending SQL commands to the exposed network port. Again, the same weaknesses and conclusions apply for the Vivid T9,” Nozomi Networks Labs revealed. 

The post added that the researchers were able to achieve root arbitrary code execution in all three targets. However, their attack vectors differ: the Vivid T9 requires physical interaction, local access is necessary to abuse Common Service Desktop, whereas code execution against Echopac can be achieved through the local network (‘adjacent’).

When running in the default configuration, the most effective way to exploit a vulnerable Vivid T9 is through a two-phase chain that also combines Common Service Desktop. 

Nozomi researchers determined. “First, by abusing the Protection Mechanism Failure issue of CVE-2020-6977, to evade the kiosk mode and obtain local access to the device. This allows the Common Service Desktop web application to be reached; Secondly, by exploiting one of the command injection issues found in Common Service Desktop, tracked under CVE-2024-1628, to attain code execution. SYSTEM privileges are immediately granted due to the Execution with Unnecessary Privileges issue of CVE-2020-6977,” they added.

To perform these steps, physical interaction with the device is required because the attacker needs to operate with the embedded keyboard and trackpad. Notably, one of the command injection flaws tracked under CVE-2024-1628 affects an input field that can be exploited by simply typing the command in the input field, as no client-side input validation logic is enforced.

However, to speed up the process, Nozomi said that it “proved that an attacker may also abuse the exposed USB port and attach a malicious thumb drive that, by emulating the keyboard and mouse, automatically performs all necessary steps at faster-than-human speed. For instance, in our lab, we managed to craft a USB drive that completes the entire chain in about one minute. Given that ultrasound machines are expected to be used in facilities such as hospitals or clinics, which are frequently accessed by external individuals, the likelihood of an attack to a device left unattended for one minute is not only possible, but probable under the right conditions.”

“On the other hand, when considering vulnerable Echopac installations, the exploitation can be completed by default from the network and without involving any specific credentials,” according to the researchers. “The only requirement is the possibility for an attacker to exchange network packets with the vulnerable software, which usually means having a foothold into the internal network to which the target is connected. Normally, this may be done in a variety of ways: by physically connecting to a network port in an empty office, by abusing a poorly protected wireless network, or by accessing the corporate VPN service from the internet after compromising the password of an employee (e.g., via phishing).”

Asset owners may find all official patches and/or mitigations for the affected configurations in the GE HealthCare Product Security Portal.

Nozomi Networks Labs called upon asset owners not to leave ultrasound devices unattended, even for a short period of time, as just one minute may be enough to implant malware; in all workstations that have Echopac installed, block incoming connections via firewall to SMB and 2638/tcp (SQL Anywhere DB server port) when the workstation is connected to an unprotected network; and generically speaking, ensure proper network segmentation, limit the network communication to only essential traffic.

Earlier this week, the Australian National Cyber Security Coordinator (NCSC) disclosed that a commercial health information organization had reported a substantial ransomware data breach incident. This revelation coincides with Washington D.C.-based Ascension Healthcare’s ongoing efforts towards restoration and recovery post a recent ransomware attack.

In February, research from Nozomi Networks disclosed that ​​pervasive OT (operational technology) and IoT network anomalies raise red flags as threats to critical infrastructure become more sophisticated. Vulnerabilities within critical manufacturing also surged 230 percent – a cause for concern as threat hackers have far more opportunities to access networks and cause these anomalies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.