Vulnerabilities found in a past version of OpenEMR could enable an attacker to access sensitive data and compromise an entire system. If exploited, an unauthenticated actor could chain the “vulnerabilities to gain code execution on a server running OpenEMR version lower than 7.0.0.”

Found by Sonar, a software development company, the flaws were responsibly disclosed to OpenEMR, which then provided a software update to remediate the issue. The newer versions of the platform are fully patched. Sonar issued its report following the OpenEMR update.

Given the health sector’s often slow patching process and the ongoing threat landscape, the Department of Health and Human Services Cybersecurity Coordination Center is urging IT and security leaders to ensure they’ve upgraded to the latest EMR version to fully patch these gaps.

OpenEMR is a popular electronic health records system with an estimated 5,000 downloads each month by 100,000 global providers and serving over 200 million patients. Maintained by a community of volunteers and support professionals, OpenEMR is notably used by PeaceCorps, IPPF, and the Siaya District Hospital in Kenya.

The Sonar report details the unauthenticated file read, authenticated local file inclusion, and an authenticated reflected XSS. 

How a "rogue MySQL server" can take over an OpenEMR device

Without the patch, “a rogue MySQL server can read arbitrary files from an OpenEMR instance,” according to the report. Further, the installer fails to delete itself after a successful installation and, as the setup is divided into parts, an unauthenticated user can perform some actions through a user-controlled parameter state.

As a result, an unauthenticated attacker would be able to perform a database query on their own server by enabling the MySQL statement LOAD DATA to load the contents of a file into a database table.

“If the modifier LOCAL is given, the file is read from the client instead of the server,” Sonar researchers wrote.

An attacker-controlled MySQL configuration can lead to the compromise of the arbitrary file read vulnerability. And when combined with the two other flaws, an unauthorized attacker can take over the device and deploy remote code execution.

The HC3 alert warns that each of these flaws “represent opportunities for cybercriminals to launch ransomware attacks and data breaches — both of which are persistent threats to the health sector, among other types of attacks.”

Although providers can completely reinstall OpenEMR, the alert warns that attackers can specify a configuration during the setup steps via the properties of the Installer class to take over any OpenEMR instance.

OpenENR vulnerabilities addressed in November update

As noted, OpenEMR maintainers addressed all of these serious vulnerabilities and further hardened the application in its November 2022 update to version 7.0.0 of the platform.

The EMR now includes a series of CSRF checks and sessions to patch the arbitrary file read vulnerability, which also further restricts the installation process. Now, even an unauthenticated attacker would need to go through the installation steps in the correct order. And “when a config file already exists in an installed OpenEMR instance, the setup process fails in the first step.”

OpenEMR also strengthened the PHP function to encode important characters and blocks the ability of an attacker to escape the context and prevents the XSS vulnerability. The update also sanitized the user-controlled parameter, which now only allows alphanumeric characters to prevent path traversal.

OpenEMR intends to bolster this process to reduce the risk of potential exploit, as well.

Maintainers of the OpenEMR are notoriously responsive to any potential vulnerabilities. In one notable instance from 2018, when researchers found nearly 30 critical vulnerabilities in the platform that left millions of patient records vulnerable to attack. It was the second round of security flaws found that year.

Those bugs included flaws that could enable an attacker to bypass the patient portal authentication and navigate to the registration page, as well as change the URL. A number of SQL injection bugs were also found that could be used to view data from targeted databases. The round of disclosures included other remote code execution vulnerabilities.

Much like the latest vulnerability disclosure, OpenEMR was quick to provide an update that eliminated these risks.