Electronic Medical Records Cracked Open by OpenClinic Bugs

  • 4 security vulnerabilities in an open-supply healthcare information administration system enable remote code execution, affected person facts theft and much more.

    4 vulnerabilities have been identified in the OpenClinic application for sharing digital healthcare documents. The most relating to of them would enable a distant, unauthenticated attacker to browse patients’ personalized well being facts (PHI) from the application.

    OpenClinic is an open up-resource wellness documents administration software program its most current edition is .8.2, launched in 2016, so the flaws remain unpatched, researchers at Bishop Fox explained. The venture did not instantly return Threatpost’s request for comment.

    In accordance to researchers, the 4 bugs include lacking authentication insecure file upload cross-web page scripting (XSS) and route-traversal. The most superior-severity bug (CVE-2020-28937) stems from a lacking authentication look at on requests for health care examination details.

    Authenticated healthcare users of the software can upload clinical take a look at files for sufferers, which are then saved in the ‘/exams/’ directory. However, there is no necessity for patients to indication in in buy to view the take a look at success.

    “Anyone with the total route to a valid health-related check file could access this facts, which could direct to loss of PHI for any professional medical records saved in the software,” in accordance to the business, creating in a Tuesday putting up.

    A mitigating factor is the actuality that an attacker would want to know or guess the names of documents saved in the “/checks/” listing in order to exploit the vulnerability.

    “However, medical test filenames can be predictable, and legitimate filenames could also be acquired via log information on the server or other networking infrastructure,” researchers wrote.

    Health-related records are a incredibly hot commodity on the cybercriminal underground — fraudsters bent on identity theft or phishing endeavours can use the keep of individual information and facts to craft convincing campaigns.

    Other Bugs

    One more vulnerability discovered by Bishop Fox allows an authenticated attacker to receive remote code execution on the software server. This insecure file-upload bug (CVE-2020-28939) permits the Administrative and Administrator user roles to upload destructive data files, these as PHP web shells, which can guide to arbitrary code execution on the application server.

    “Administrative consumers with the capacity to enter health-related exams for sufferers were being capable to add documents to the application employing the ‘/openclinic/medical/test_new.php endpoint,’” in accordance to Bishop Fox. “This endpoint did not prohibit the sorts of documents that could be uploaded to the software. As a end result, it was attainable to add a file that contains a basic PHP web shell.”

    Malicious users of the software could use this vulnerability to attain accessibility to sensitive data, escalate privileges, install malicious plans on the application server, or use the server as a pivot stage to acquire entry to the inside network.

    A third vulnerability, a medium-severity saved XSS vulnerability (CVE-2020-28938), will allow an unauthenticated attacker to embed a payload that, if clicked by an admin user, would escalate privileges on the attacker’s account.

    “While the application code contained measures to protect against XSS, it was located that these actions could be bypassed,” in accordance to Bishop Fox. “HTML tags that could be bundled with person enter had been limited to [a] whitelist specified in /lib/Check.php.”

    That indicates that in a authentic attack scenario, attackers could ship a malicious connection to victims – which when clicked would allow for them to pressure steps on behalf of another person, in accordance to Bishop Fox.

    “To display effect, an XSS payload was embedded into a patient’s medical history with the reduce-privileged Administrative person purpose,” scientists described. “When clicked by an administrator, this payload produced a new admin account below the attacker’s management, thus letting them to escalate privileges.”

    The final vulnerability is a low-effect route traversal issue (no CVE was assigned) that could allow for an authenticated attacker to store documents outside of designated directories on the application server.

    “Admin customers could upload new themes to the software as a result of the ‘/admin/topic_new.php’ endpoint,” in accordance to scientists. “This brought about new information to be designed less than the css folder in the directory exactly where OpenClinic was mounted. It was doable to navigate out of the css folder and retail store the information somewhere else on the filesystem.”

    Bishop Fox very first located the bugs in late August, and created various makes an attempt to make contact with the OpenClinic improvement team as a result of email, with no reaction.

    “There is no variation of OpenClinic out there that does not put up with from the recognized vulnerabilities, and the suggestion is to swap to a distinct healthcare records administration software package,” scientists claimed.

    Place Ransomware on the Run: Save your location for “What’s Following for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Obtain out what is coming in the ransomware planet and how to struggle back again.

    Get the most up-to-date from entire world-course security authorities on new varieties of attacks, the most unsafe ransomware menace actors, their evolving TTPs and what your firm wants to do to get in advance of the future, inescapable ransomware attack. Sign-up listed here for the Wed., Dec. 16 for this Stay webinar.