CVE-2012-6660 in Healthcare Precision MPi
Summary
by MITRE
GE Healthcare Precision MPi has a password of (1) orion for the serviceapp user, (2) orion for the clinical operator user, and (3) PlatinumOne for the administrator user, which has unspecified impact and attack vectors. NOTE: it is not clear whether these passwords are default, hardcoded, or dependent on another system or product that requires a fixed value.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/04/2017
The vulnerability identified in CVE-2012-6660 affects GE Healthcare Precision MPi medical imaging equipment, representing a critical security weakness in healthcare device management systems. This issue involves hardcoded default credentials that persist across multiple user roles within the system, creating a significant attack surface for unauthorized access. The affected device contains three distinct user accounts with weak default passwords including serviceapp with password orion, clinical operator with password orion, and administrator with password PlatinumOne. These hardcoded credentials present a fundamental flaw in the system's authentication mechanism, as they remain unchanged regardless of system deployment or security requirements.
The technical nature of this vulnerability aligns with CWE-798, which describes the use of hard-coded credentials in software systems. The presence of default passwords indicates a failure in implementing proper authentication security practices during the device's development lifecycle. These weak credentials create a persistent security risk because they are typically known to attackers through public databases, security research, or vendor documentation, making the system immediately vulnerable upon deployment. The unspecified attack vectors suggest that exploitation could occur through various means including network-based attacks, physical access, or social engineering approaches that leverage the predictable credential structure.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially compromising patient data integrity and system availability within healthcare environments. Medical devices like the GE Healthcare Precision MPi contain sensitive patient information and operate in regulated environments where security breaches can result in serious consequences. The presence of administrator-level credentials with default passwords creates a pathway for attackers to gain full control over the system, potentially allowing them to modify patient records, alter imaging data, or disrupt critical medical services. This vulnerability also violates fundamental security principles outlined in the NIST Cybersecurity Framework, which emphasizes the importance of secure configuration management and access control implementation.
Mitigation strategies for this vulnerability require immediate action to address the hardcoded credentials issue. Organizations should implement comprehensive credential management policies that mandate changing default passwords upon device deployment and establishing regular authentication audits. The remediation process must include updating all default passwords to strong, unique values that comply with industry standards such as those specified in NIST SP 800-63B for authentication management. Additionally, system administrators should implement network segmentation to limit access to these devices, deploy intrusion detection systems to monitor for unauthorized access attempts, and establish regular security assessments to identify similar hardcoded credential vulnerabilities across the healthcare infrastructure. The implementation of these controls aligns with ATT&CK technique T1078 which addresses valid accounts and legitimate credentials as a means of persistence within target environments.