CVE-2017-14101
📋 TL;DR
An XML External Entity (XXE) vulnerability in Conserus Image Repository version 2.1.1.105 allows unauthenticated attackers to read arbitrary files from the local filesystem and steal hashed service account credentials via specially crafted SOAP requests. This affects McKesson Medical Imaging Company's (now Change Healthcare) medical imaging archive solution. The vulnerability is remotely exploitable without authentication.
💻 Affected Systems
- Conserus Image Repository
📦 What is this software?
Conserus Image Repository by Changehealthcare
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through credential theft leading to patient data exfiltration, system takeover, and potential ransomware deployment across connected medical systems.
Likely Case
Sensitive medical image data theft, patient record exposure, and credential harvesting enabling lateral movement within healthcare networks.
If Mitigated
Limited impact if network segmentation prevents external access and file system permissions restrict sensitive file access.
🎯 Exploit Status
Technical details and proof-of-concept are publicly available. XXE exploitation is well-documented and tool-assisted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Contact Change Healthcare support for patch availability. Consider upgrading to latest supported version if available.
🔧 Temporary Workarounds
Disable XXE Processing
allConfigure XML parser to disable external entity resolution
Application-specific configuration - consult vendor documentation
Input Validation
allImplement strict input validation on SOAP endpoints to reject XML containing external entities
Application-layer filtering implementation required
🧯 If You Can't Patch
- Network segmentation: Isolate Conserus servers from internet and restrict internal access to authorized medical systems only
- Implement web application firewall (WAF) with XXE protection rules and monitor for SOAP request anomalies
🔍 How to Verify
Check if Vulnerable:
Test with XXE payloads against SOAP endpoints or review application logs for XXE attemptsCheck Version:
Check application version through administrative interface or consult vendor documentationVerify Fix Applied:
Attempt XXE exploitation after remediation and verify file read attempts fail📡 Detection & Monitoring
Log Indicators:
- Unusual SOAP requests containing SYSTEM or PUBLIC DTD declarations
- File access attempts via XML entities
- Outbound connections to external URLs in XML parsing context
Network Indicators:
- HTTP POST requests to SOAP endpoints with XML containing external entity references
- Unexpected outbound connections from application server following SOAP requests
SIEM Query:
source="conserus_logs" AND ("SYSTEM" OR "PUBLIC" OR "ENTITY") AND "HTTP POST"