Advisory Statements

Alert: DHE_EXPORT ciphersuite and “Logjam” issue

On May 21, 2015 details regarding CVE-2015-4000 were released to the public. A flaw regarding the ciphersuite "DHE_EXPORT" used when negotiating security protocols during HTTPS communication was discovered which could make it easier for man-in-the-middle attackers to downgrade the level of encryption putting information at risk of exposure. For detailed information, visit NIST’s website.
 
  • NIST has classified the overall severity as "Medium"
  • Healthcare providers who are using browser-based applications which use secure web connections via https:// are at risk of having data communications intercepted by an unauthorized party in certain conditions. These conditions would require the attacker to be a man-in-the-middle and for the DHE_EXPORT cipher to be enabled on both the user browser and web server.
  • A likely scenario would be accessing Merge web applications from public or unprotected WiFi networks.
  • Merge recommends that users avoid using untrusted Wi-Fi networks. Merge also recommends that customers disable the DHE_EXPORT cipher on any public facing web servers they may use to host Merge solutions.

For questions or more information, please contact Merge Technological Support at 877.741.5369 or email support@merge.com.
 

Alert: SSL encryption protocol 3.0 and “POODLE” issue

On October 14, 2014 the Department of Homeland Security, National Cyber Security Division released details regarding CVE-2014-3566. The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. For detailed information, visit NIST’s website.
  • Healthcare providers who are using browser-based applications which use secure web connections via https:// are at risk of having data communications intercepted by an unauthorized party in certain conditions. These conditions would require the attacker to be a man-in-the-middle and for SSL 3.0 to be enabled on both the user browser and web server.
  • A likely scenario would be accessing Merge web applications from public or unprotected WiFi networks.
  • Merge recommends that users should disable SSL 3.0 within Internet Explorer and avoid using untrusted Wi-Fi networks. Merge also recommends that SSL Version 3.0 is disabled on any public facing web servers they may use to host Merge solutions.
    Instructions to disable SSL 3.0 for Internet Explorer or on a server can be found here. https://technet.microsoft.com/library/security/3009008.aspx
  • For questions or more information, please contact Merge Technological Support at 877.741.5369 or email support@merge.com.


Alert: Internet Explorer v6 to v10 Security Issue

On April 27, 2014 the Department of Homeland Security, Office of Cybersecurity and Communications published Vulnerability Note 222929, “Internet Explorer (IE) contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”  For detailed information, visit Microsoft’s website.
  • Healthcare providers who are running browser-based applications in IE that require Flash are at risk of being attacked by this vulnerability.  These applications may include Universal Viewers and Image Sharing solutions.
  • iConnect® Access, unlike most Universal Viewing and Image Sharing solutions in the market, does not rely on Adobe Flash.  Viewers and sharing solutions that operate in a browser that relies on Flash are going to be vulnerable to this serious security vulnerability.
  • Merge recommends that unless you have other web-based applications that require Flash, disable Flash until Microsoft publishes a patch for the vulnerability.  
  • iConnect® Access will continue to operate safely and securely after you disable Flash.
  • For questions or more information, please contact Merge Technological Support at 877.741.5369 or email support@merge.com.
 



OpenSSL vulnerability CVE-2014-0160
Original Publication Date: 04/08/2014
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
 

Overview

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
 

Impact
A malicious user can exploit vulnerable systems and retrieve information from memory, such as the private keys used for Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS)

Status
Products with the potential to be configured for SSL communications have been confirmed they are not impacted by CVE-2014-0160
Merge will continue to review and post updates as needed.
 

Product Uses OpenSSL Vulnerability
iConnect Enterprise Archive Yes No
Open Eyes Yes No
iConnect Access Yes No
iConnect Core No No
MC3 DICOM Toolkit No No
HL7 Toolkit No No
Secure Bridge Yes No
Merge PACS Yes No
Merge OrthoCase Yes No
Merge OfficePACS No No
Radsuite No No
eFilm No No
Merge OrthoEMR No No
Merge RIS No No
Merge Dashboards No No
MRP No No
Merge Patient Portal No No
Merge Honeycomb Yes No
Merge Monitoring Yes No
iConnect Network No No
CADstream No No
EyeCare PACS No No
Merge Cardio No No
VERICIS Yes No
Merge Hemo No No
MergePort Yes No
Fusion RIS No No
AIMS No No
MDM No No
I-Softview No No
I-Reach No No
OrthoPacs Yes No
Fusion Workstation No No
Merge LIS No No
FlexConnect No No
LabAcess No No
Merge Financials No No
iConnect Share v2.0 – 3.3 Yes No