SUMMARY
The following vulnerabilities were found in Medicomp System’s MEDCIN Engine application:
CVE-2015-2898, CVE-2015-2901
Certain remote message parsing functions inside the MEDCIN service do not perform proper bounds checking on incoming data, which allow for specially crafted messages to cause a stack buffer overflow.
CVE-2015-2899
Certain remote message parsing functions inside the MEDCIN service do not perform proper bounds checking on incoming data, which allow for specially crafted messages to cause a heap buffer overflow.
CVE-2015-2900
A remote message parsing function inside the MEDCIN service does not properly validate a user provided index into memory which allows for a specially crafted message to write data anywhere in memory.
CVE-2015-6006
Certain remote message parsing functions inside the MEDCIN service improperly truncate user supplied length values which allow for specially crafted messages to cause a heap buffer overflow.
IMPACT
Access Vector:Network Exploitable
Access Complexity:Low
Authentication:Not required to exploit
Impact Type:Allows remote code execution, Allows disruption of service
Privilege Level:SYSTEM
AFFECTED PRODUCTS***
- Allscripts Touchworks
- AthenaHealth
- Pulse Complete EHR
- Greenway Health’s Vitera
- Greenway Health’s Success EHS
- Integreat MED3000
- DoD’s Armed Forces Health Longitudinal Technology Application (AHLTA)
Accompanied CD with Textbooks:
Electronic Health Records: Understanding and Using Computerized Medical Records
Essentials of Electronic Health Records
Electronic Health Records and Nursing
Leave A Comment