CVE-2017-14008 – GE Centricity PACS RA1000 medical imaging devic... (How to Fix)

Q: What is the severity of CVE-2017-14008?

CVE-2017-14008 has a CVSS score of 9.8 (CRITICAL). GE Centricity PACS RA1000 medical imaging devices use default or hard-coded credentials, allowing remote attackers to bypass authentication and gain full access to affected systems. This affects all current versions of these diagnostic image analysis devices used in healthcare settings.

📋 TL;DR

GE Centricity PACS RA1000 medical imaging devices use default or hard-coded credentials, allowing remote attackers to bypass authentication and gain full access to affected systems. This affects all current versions of these diagnostic image analysis devices used in healthcare settings.

💻 Affected Systems

Products:

GE Centricity PACS RA1000

Versions: All current versions (as of advisory publication)

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: These are medical imaging devices used for diagnostic analysis in healthcare environments. The vulnerability exists in the default configuration.

📦 What is this software?

Centricity Pacs Ra1000 by Ge

View all CVEs affecting Centricity Pacs Ra1000 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of medical imaging systems leading to unauthorized access to patient data, manipulation of diagnostic images, disruption of healthcare services, and potential patient safety risks.

🟠

Likely Case

Unauthorized access to medical imaging systems and patient health information (PHI), potential data exfiltration, and system manipulation affecting diagnostic workflows.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the fundamental authentication bypass remains present.

🌐 Internet-Facing: HIGH - These medical devices are often connected to hospital networks that may have internet exposure, and the vulnerability requires no authentication.

🏢 Internal Only: HIGH - Even internally, the hard-coded credentials allow any network-connected attacker to bypass authentication controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hard-coded/default credentials, which are likely documented or easily discovered. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available advisories

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-02

Restart Required: No

Instructions:

Contact GE Healthcare for specific remediation guidance. No official patch was mentioned in the ICS-CERT advisory.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate GE Centricity PACS RA1000 devices on separate VLANs with strict firewall rules limiting access to authorized medical personnel only.

Credential Rotation

all

Change all default credentials if the device allows credential modification. Implement strong, unique passwords for all accounts.

🧯 If You Can't Patch

Implement strict network access controls allowing only necessary connections from authorized medical workstations
Monitor network traffic to/from these devices for unauthorized access attempts and credential usage

🔍 How to Verify

Check if Vulnerable:

Check device configuration for use of default or hard-coded credentials. Attempt authentication using known default credentials for GE medical devices.

Check Version:

Check device interface or contact GE Healthcare support for version information

Verify Fix Applied:

Verify that default credentials no longer work and that strong, unique credentials are required for authentication.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful logins, multiple login attempts from unusual IP addresses, administrative access from non-medical workstations

Network Indicators:

Authentication traffic to device management interfaces from unauthorized network segments, unusual data transfers from imaging devices

SIEM Query:

source_ip NOT IN (authorized_medical_ips) AND dest_ip IN (pacs_device_ips) AND (event_type="authentication_success" OR protocol="ssh" OR protocol="telnet")

📊 Metadata

CVE ID: CVE-2017-14008

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 20, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/103400 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-02 Mitigation,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/103400 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-037-02 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14008, you might also want to check these: