CVE-2012-6694 in Healthcare Centricity PACS
Summary
by MITRE
GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1, and Server 4.0, has a password of 2charGE for the geservice account, which has unspecified impact and attack vectors related to TimbuktuPro. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires it.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2017
The vulnerability identified in CVE-2012-6694 affects GE Healthcare Centricity PACS Workstation versions 4.0 and 4.0.1, as well as Server 4.0, presenting a critical security weakness through a hardcoded password configuration. This issue specifically involves the geservice account which utilizes a password of only two characters, creating an extremely weak authentication mechanism that significantly undermines system security posture. The vulnerability's impact stems from the fact that such a short password provides minimal cryptographic strength and can be easily compromised through brute force or dictionary attacks, particularly when combined with the known nature of the password value.
The technical flaw represents a classic case of hardcoded credentials within medical imaging systems, where default administrative passwords are not properly changed or secured during deployment. This weakness creates an attack surface that aligns with CWE-798, which specifically addresses the use of hardcoded credentials in software systems. The vulnerability's connection to TimbuktuPro suggests potential integration points where remote access capabilities could be exploited, though the exact attack vectors remain unspecified in the original description. The limited password length of only two characters directly violates security best practices and industry standards such as NIST SP 800-63B, which recommends minimum password lengths of at least 8 characters for administrative accounts.
The operational impact of this vulnerability extends beyond simple credential compromise, as it provides potential attackers with unauthorized access to critical medical imaging systems that store sensitive patient information. In healthcare environments, such access could enable data exfiltration, system manipulation, or disruption of medical services that rely on PACS infrastructure for diagnostic imaging workflows. The unspecified nature of the attack vectors suggests that multiple exploitation paths may exist through the TimbuktuPro integration, potentially including remote desktop access, network reconnaissance, or lateral movement within hospital networks. This vulnerability particularly concerns healthcare organizations as it could facilitate breaches that compromise patient privacy and violate HIPAA regulations.
Mitigation strategies should focus on immediate credential remediation, including immediate password changes for the geservice account and implementation of robust password policies that enforce minimum length requirements and complexity standards. Organizations should conduct comprehensive inventory audits to identify all systems with hardcoded credentials and implement automated scanning tools to detect similar vulnerabilities across their infrastructure. The remediation process must include verification that default accounts are disabled or have properly secured credentials, aligning with the principle of least privilege and following NIST guidelines for secure system configuration. Additionally, network segmentation should be implemented to limit access to critical medical systems and reduce the potential impact of credential compromise. Regular security assessments and vulnerability scanning should be conducted to prevent recurrence of such hardcoded credential issues, particularly in legacy medical systems that may not have been designed with modern security requirements in mind.