Change Healthcare McKesson and Horizon Cardiology

MonitorCVSS 7.8ICS-CERT ICSMA-19-241-01Aug 29, 2019

GE VernovaHealthcare

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

This vulnerability in Change Healthcare Cardiology software (versions 11.x through 14.x, including McKesson and Horizon variants) allows a locally authenticated user to insert specially crafted files that result in arbitrary code execution. The vulnerability is classified as CWE-276 (Incorrect Default Permissions). Change Healthcare has advised users to contact support to arrange installation of a patch, but the advisory indicates no fix is currently available for any affected version. The vulnerability is not remotely exploitable and requires local system access and valid user credentials. No public exploits are known.

What this means

What could happen

A locally authenticated user could insert specially crafted files to achieve arbitrary code execution on Cardiology systems, potentially allowing unauthorized control of patient monitoring, data manipulation, or system disruption in a healthcare environment.

Who's at risk

Healthcare organizations using Change Healthcare Cardiology systems are affected, including hospitals and cardiac care centers. This impacts staff workstations and servers running Cardiology 11.x through 14.x versions (both McKesson and Horizon branded variants). The vulnerability requires local access, so insider threats or compromised workstations in your facility pose the primary risk.

How it could be exploited

An attacker with local access to a workstation or device running vulnerable Cardiology software could upload or inject a specially crafted file through the application interface or file system. Once processed by the application, this file would execute arbitrary code with the privileges of the application or user running it.

Prerequisites

Local access to a workstation or device running vulnerable Cardiology software
Valid user credentials to authenticate to the system
Ability to insert or upload files to the application or file system

Low attack complexityRequires valid user credentialsNo patch available for any affected versionAffects healthcare patient monitoring systemsLocal access required (insider threat risk)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Cardiology: 14.1.x14.1.xNo fix yet

Horizon Cardiology: 12.x12.xNo fix yet

McKesson Cardiology: 14. x14.xNo fix yet

McKesson Cardiology: 13.x13.xNo fix yet

Horizon Cardiology: 11.x and earlier≤ 11.xNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict physical and network access to Cardiology systems to authorized personnel only; implement access controls and follow least privilege principles

HARDENINGLocate medical devices behind firewalls and isolate them from general network traffic where operationally possible

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Change Healthcare Support immediately to arrange installation of the supplied patch (U.S./Canada: 1-877-654-4366; International: 972-376-98000 ext. 1)

HARDENINGDisable unnecessary accounts, protocols, and services on Cardiology systems

Long-term hardening

0/2

HARDENINGImplement defense-in-depth strategies including network segmentation and monitoring for suspicious file uploads or injections

HARDENINGTrain staff not to open unsolicited email attachments or click web links that could deliver malicious files to Cardiology workstations

CVEs (1)

CVE-2018-18630

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e94ca38e-f513-4fa5-b4b6-672e768db909

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.