Overview

On 1 December 2015, the CERT Coordination Center (“CERT/CC”) issued Vulnerability Note VU#630239 (https://www.kb.cert.org/vuls/id/630239) – “Epiphany Cardio Server version 3.3 is vulnerable to SQL and LDAP injection.”  

The note described the following potential vulnerabilities to Epiphany’s Cardio Server version 3.3: 

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-6537 “A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.” and 

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVE-2015-6538 “An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”  

These potential vulnerabilities were uncovered by penetration testing conducted by a 3^rd party security firm. The testing was commissioned by a hospital on their Cardio Server 3.3 system. There is no evidence that either of these vulnerabilities were exploited on any of our installed systems around the world; there is no evidence that patient information was accessed or changed. A patch has been released for both of the potential vulnerabilities on affected versions.

Both vulnerabilities require that the attacker have a valid user name on the Cardio Server system. Customers with affected Cardio Server versions that have login screens exposed directly to the Internet may have a higher risk of exposure to this vulnerability.

Upon further review of these potential vulnerabilities, it has been determined that:

• The SQL Injection vulnerability only affects Cardio Server version 3.3; and
• The LDAP Injection vulnerability only affects Cardio Server version 3.3, 4.0 and 4.1.

Patches to eliminate these vulnerabilities for Cardio Server version 3.3, 4.0 and 4.1 are available from Epiphany Healthcare.  

1^st Vulnerability Scenario—SQL Injection

“A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.”

Vulnerability Mitigation

• This potential vulnerability is only present in Cardio Server version 3.3. A patch to close the vulnerability is available. 

• The potential vulnerability is limited to affected Cardio Server systems where a login page is displayed. If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

2^nd Vulnerability Scenario—LDAP Injection

“An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”

Vulnerability Mitigation

• This potential vulnerability may exist in Cardio Server versions 3.3, 4.0 and 4.1.  A patch to close the vulnerability exists for each version.

• The potential vulnerability is limited to affected Cardio Server systems where the login page displays a domain-selection, drop-down menu. 

• If your system does not display a domain-selection, drop-down menu on the login page, this vulnerability does not apply.

• If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

Summary

Epiphany takes its customers’ security seriously. We apologize for any inconvenience this may have caused. We have patches available for the above-named vulnerabilities. 

We have no evidence that any patient information was accessed. 

Most Cardio Server systems reside inside of our end-users’ firewalls with all the appropriate firewall protections that our end users deploy. Cardio Server login screens that are directly available from the internet are at higher risk.

Epiphany performs thorough verification and validation on each version release. Our last Cardio Server version release included ~5,000 test steps on six browsers totaling ~30,000 completed test steps.

If you are a Cardio Server 3.X customer and your system is running on Windows Server 2003, we highly recommend that you upgrade to Cardio Server version 5.0, which supports Windows Server 2008 R2 or Windows Server 2012 R2. We believe that any Cardio Server systems running under Windows Server 2003 are subject to potential security risks associated with the EOL status of Windows Server 2003.

Action

Please contact Epiphany’s Vice President of Professional Services, Kelli Sudduth, with any questions you may have, including requesting patches for your Cardio Server. Kelli’s number is: (919) 354-5050 or kellisudduth@epiphanyhd.com.