Change Healthcare recommends users arrange for installation of the supplied patch to handle an incorrect default permissions vulnerability in its Change Healthcare Cardiology, Horizon Cardiology, McKesson Cardiology, according to a report with CISA.
Successful exploitation of this vulnerability, discovered by Alfonso Powers and Bradley Shubin of Asante Information Security, could allow a locally authenticated user to insert specially crafted files that could result in arbitrary code execution.
The following Change Healthcare Cardiology Devices, suffer from the issue:
• Horizon Cardiology 11.x and earlier
• Horizon Cardiology 12.x
• McKesson Cardiology 13.x
• McKesson Cardiology 14. x
• Change Healthcare Cardiology 14.1.x
Insecure file permissions in the default installation may allow an attacker with local system access to execute unauthorized arbitrary code.
CVE-2018-18630 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Change Healthcare recommends users of the affected versions contact Change Healthcare Support as soon as possible to arrange installation of the supplied patch. To contact Change Healthcare Support call:
• U.S./Canada 1-877-654-4366
• International Toll Free – 972-37698000 ext. 1