Two flaws in medical system puts patient info at risk, CERT warns

patientinformationA CERT Vulnerability Note published Dec. 1 warned of a pair of vulnerabilities in the Epiphany Cardio Server ECG Management System Version 3.3 that could be used to allow unauthenticated miscreants access to patient data as well as let them modify it as well.

The system is a repository of patient informationgathered from various medical devices and used by medical professionals to access via a web browser from virtually anywhere test results and other sensitive data. The vulnerabilities include CWE-89, Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CVE-2015-6537), which allows a SQL command to “be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator,” the note said.

The second vulnerability, CWE-90, Improper Neutralization of Special Elements used in an LDAP Query(CVE-2015-6538) allows an LDAP query to “be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker’s choice,” the note said, adding that other versions of the system in addition to version 3.3 could “be impacted.”

CERT also said that Epiphany noted version 3.x of the server is “no longer recommended” because it is long outdated and “requires Windows Sever 2003, which is also end-of-life and no longer receives security updates.”

 

SOURCE: Teri Robinson | scmagazine.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s