A CERT Vulnerability Note published Dec. 1 warned of a pair of vulnerabilities in the Epiphany Cardio Server ECG Management System Version 3.3 that could be used to allow unauthenticated miscreants access to patient data as well as let them modify it as well.
The system is a repository of patient information gathered from various medical devices and used by medical professionals to access via a web browser from virtually anywhere test results and other sensitive data. The vulnerabilities include CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CVE-2015-6537), which allows a SQL command to “be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator,” the note said.
The second vulnerability, CWE-90, Improper Neutralization of Special Elements used in an LDAP Query (CVE-2015-6538) allows an LDAP query to “be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice,” the note said, adding that other versions of the system in addition to version 3.3 could “be impacted.”
CERT also said that Epiphany noted version 3.x of the server is “no longer recommended” because it is long outdated and “requires Windows Sever 2003, which is also end-of-life and no longer receives security updates.”
