McKesson HCI Hardcoded Passwords

`McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords  
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server  
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes  
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server  
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:  
  
# cat /usr/local/bin/password  
AMBU:hacschema  
QUEUE_USER:qmanager  
SYS:alLp0ver2  
SYSTEM:urA7mvP  
CHANGEMGR:datacontrol  
CCDEV:ccdev  
CCDBA:ccnulls *HAS ORACLE SYSDBA PRIVS*  
CCDATA:ccdata  
CCFORMS:ccforms  
CCINTERFACE:ccinterface  
MCKHEO:mckheo  
CCREL:ccrel  
CCQUERY:ccquery  
CDXWEB:winplu5  
DRUG1:fdb3schema  
DRUG2:fdb3schema  
enc_ent:encent  
ENT:entpazz  
ENT_CONFIG:ent_configpazz  
ADF:adfpazz  
INF:infpazz  
INF_CONFIG:inf_configpazz  
SDM:sdmpazz  
STRMADM:pazzw0rd  
ENT_AUD:pazzw0rd  
ENT_ARCH:pazzw0rd  
POC_ARCH:pazzw0rd  
POC_AQ:qmanager  
INF_AQ:qmanager  
DATAMGR:datamgr  
CCUSER:bueno  
ALERTS:monitorhca  
HCALERTS:alertsuser  
AM:ampazz  
AM_AUD:pazzw0rd  
AUD:audpazz  
TMF:tmfpazz  
MN:mnpazz  
EH:ehpazz  
NG:ngpazz  
DM:dmpazz  
DMTOOL:dmtoolpazz  
STG_DMT:stg_dmtpazz  
WRL:wrlpazz  
NOTES:notespazz  
REPORTS:reportspazz  
ICONS:iconspazz  
BS:bspazz  
QZ:qzpazz  
RM:rmpazz  
RM_AUD:pazzw0rd  
COMMGR:commgrpazz  
OPSERVICE:opservicepazz  
SEC_CONFIG:sec_configpazz  
CTXSYS:ctxsyspazz  
OLOGY:ologypazz  
OLOGY_CONFIG:ology_configpazz  
DOC:docpazz  
DOC_CONFIG:doc_configpazz  
PORTAL:portal  
PORTAL_INSTALL:portal_install  
EBIDBADMIN:ebidbadmin  
DESIGN_OWNER:owb  
OWB_RUNTIME_REPOSITORY:owb  
RUNTIME_A_USER:owb  
  
Despite having a "central" password file that contains the credential information, much of the credentials  
are hardcoded throughout binaries and scripts that are shipped as part of the HCI Infrastructure server.  
  
# cd /u/live  
# find . -type f -print | xargs grep ccnull | wc -l  
85  
  
Here is some context of how the credentials are used throughout the HCI code:  
  
# find . -type f -print | xargs grep ccnull   
./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF  
./all_ord:LOGIN=ccdba/ccnulls  
./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"  
./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE"  
./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG  
./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE <<- ENDSQL  
  
McKesson supports HCI on the AIX, HP-UX, and Linux passwords. The nature of hardcoded passwords implies  
that for every customer that has purchased HCI, the credentials for all of these role accounts are the same across the installations.   
  
According to the following press release, http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson software is installed in 70% of hospitals within the US. HCI serves as the core infrastructure  
component of other McKesson applications such as Horizon Lab, Horizon Patient Folder, Horizon CareLink,  
Horizon Expert Documentation, etc.  
`