CVE-2002-2445 in Healthcare Millennium
Summary
by MITRE
GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) "service." for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2017
The vulnerability described in CVE-2002-2445 represents a critical security flaw in GE Healthcare Millennium MG, NC, and MyoSIGHT medical imaging systems that stems from the improper configuration of default administrative credentials. This issue affects medical devices used in healthcare environments where patient safety and data integrity are paramount, creating a significant risk landscape for organizations that deploy these systems. The presence of hard-coded default passwords violates fundamental security principles and creates persistent attack vectors that can be exploited by malicious actors with minimal technical expertise.
The technical implementation of this vulnerability involves the inclusion of well-known default credentials within the device firmware or configuration files, specifically targeting five distinct user accounts with their respective default passwords. The root user account utilizes the password "root.genie" which follows predictable naming conventions that align with common default credential patterns found in embedded systems. Similarly, the service user account has the password "service.", while the admin user account uses "admin.genie", the reboot user employs "reboot", and the shutdown user has "shutdown" as their default password. These credentials represent a classic case of weak authentication mechanisms that fail to meet modern security standards and provide attackers with immediate access to critical system functions.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it creates potential pathways for attackers to manipulate medical imaging data, compromise patient records, and potentially disrupt critical healthcare operations. Medical imaging systems contain highly sensitive patient information that is subject to regulatory compliance requirements under HIPAA and other healthcare data protection frameworks. The presence of default credentials means that unauthorized individuals can gain administrative privileges without requiring additional authentication factors or knowledge of system-specific configurations. This vulnerability creates opportunities for data breaches, system manipulation, and potential patient safety risks when medical images or system configurations are altered.
From a cybersecurity perspective, this vulnerability maps directly to CWE-798, which addresses the use of hard-coded credentials, and CWE-312, which covers the exposure of sensitive information through cleartext storage. The attack vectors available to threat actors include both internal and external exploitation opportunities, as default credentials are often discovered through public repositories, security research, or simple network reconnaissance activities. The MITRE ATT&CK framework categorizes this as a credential access technique, specifically leveraging default credentials to establish persistent access to target systems. Organizations deploying these GE Healthcare systems face significant compliance risks, as the presence of default passwords violates numerous security standards including NIST SP 800-53 and ISO 27001 requirements for secure system configuration and access control management.
The mitigation strategies for this vulnerability require immediate administrative action including the immediate change of all default passwords to strong, unique credentials that meet organizational security policies. System administrators must implement comprehensive password management policies that enforce regular credential rotation and prohibit the use of default or easily guessable passwords. Network segmentation and access control measures should be implemented to limit physical and logical access to these critical systems. Additionally, organizations should conduct regular security assessments to identify and remediate similar configuration issues across their entire IT infrastructure. The implementation of multi-factor authentication and privileged access management solutions should be considered as additional layers of protection to prevent unauthorized access even if default credentials are discovered. Regular security awareness training for IT staff and system administrators is essential to ensure proper configuration practices and prevent the recurrence of such vulnerabilities in newly deployed or updated systems.