Change Healthcare McKesson and Horizon Cardiology
Monitor7.8ICS-CERT ICSMA-19-241-01Aug 29, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
This vulnerability in Change Healthcare Cardiology software (versions 11.x through 14.x, including McKesson and Horizon variants) allows a locally authenticated user to insert specially crafted files that result in arbitrary code execution. The vulnerability is classified as CWE-276 (Incorrect Default Permissions). Change Healthcare has advised users to contact support to arrange installation of a patch, but the advisory indicates no fix is currently available for any affected version. The vulnerability is not remotely exploitable and requires local system access and valid user credentials. No public exploits are known.
What this means
What could happen
A locally authenticated user could insert specially crafted files to achieve arbitrary code execution on Cardiology systems, potentially allowing unauthorized control of patient monitoring, data manipulation, or system disruption in a healthcare environment.
Who's at risk
Healthcare organizations using Change Healthcare Cardiology systems are affected, including hospitals and cardiac care centers. This impacts staff workstations and servers running Cardiology 11.x through 14.x versions (both McKesson and Horizon branded variants). The vulnerability requires local access, so insider threats or compromised workstations in your facility pose the primary risk.
How it could be exploited
An attacker with local access to a workstation or device running vulnerable Cardiology software could upload or inject a specially crafted file through the application interface or file system. Once processed by the application, this file would execute arbitrary code with the privileges of the application or user running it.
Prerequisites
- Local access to a workstation or device running vulnerable Cardiology software
- Valid user credentials to authenticate to the system
- Ability to insert or upload files to the application or file system
Low attack complexityRequires valid user credentialsNo patch available for any affected versionAffects healthcare patient monitoring systemsLocal access required (insider threat risk)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (5)
5 pending
ProductAffected VersionsFix Status
Cardiology: 14.1.x14.1.xNo fix yet
Horizon Cardiology: 12.x12.xNo fix yet
McKesson Cardiology: 14. x14.xNo fix yet
McKesson Cardiology: 13.x13.xNo fix yet
Horizon Cardiology: 11.x and earlier≤ 11.xNo fix yet
Remediation & Mitigation
0/6
Do now
0/2HARDENINGRestrict physical and network access to Cardiology systems to authorized personnel only; implement access controls and follow least privilege principles
HARDENINGLocate medical devices behind firewalls and isolate them from general network traffic where operationally possible
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXContact Change Healthcare Support immediately to arrange installation of the supplied patch (U.S./Canada: 1-877-654-4366; International: 972-376-98000 ext. 1)
HARDENINGDisable unnecessary accounts, protocols, and services on Cardiology systems
Long-term hardening
0/2HARDENINGImplement defense-in-depth strategies including network segmentation and monitoring for suspicious file uploads or injections
HARDENINGTrain staff not to open unsolicited email attachments or click web links that could deliver malicious files to Cardiology workstations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e94ca38e-f513-4fa5-b4b6-672e768db909