A team of researchers yesterday disclosed 22 vulnerabilities in OpenEMR, a widely used medical practice management software program that supports electronic medical records, including a portal authentication bypass flaw that could have allowed users to access random patient records.
Calling itself Project Insecurity, the research team downloaded OpenEMR version 188.8.131.52 from GitHub and proceeded to analyze the source code manually without the use of automated testing tools. Although none of the flaws rose to the level of critical, 17 of the 22 were considered of high severity.
OpenEMR's developers pushed out an update patching the bugs on July 20, after learning of the discoveries earlier that month, the researchers noted in an Aug. 7 published vulnerability report.
In an interview with DataBreaches.net, Project Insecurity CEO Matt Telfer explained why the portal authorization bypass was likely the most significant find: “Some of the information which could be stolen as a result of this flaw includes patient demographics, all electronic medical records, prescription and medical billing information, appointment schedules, and more," said Telfer. "There are almost 100 million patients' records stored in total, with over 10 million of those... within the USA.”
According to the report, the vulnerability allows users access to portal pages that normally require login verification "by simply navigating to the registration page and modifying the requested url to access the desired page," rather than clicking on the link. (This only works, however, in circumstances when the variable “$ignoreAuth” is set to true.) Portal areas found to be accidentally accessible via this flaw included pages for payments, patient profiles and documentation, and lab results. Indeed, by successfully accessing the profile page during their investigation, the researchers were able to pull up a random customer profile.
What's worse, Project Insecurity found that attackers could combine this bypass flaw with one of eight SQL injection vulnerabilities discovered in snippets of OpenEMR's PHP code in order to view data from a target database, compromise patient records, and perform various database functions in unauthorized fashion.
Researchers also spotted four remote code execution bugs that could allow attackers to launch system commands or escalate their privileges. "All of these RCE vulnerabilities exist due to the fact that none of the global variables are being sanitized when being passed to a shell command," the report details.
Project Insecurity also noted that OpenEMR was subject to a collective group of high-risk cross-site request forgery vulnerabilities, the most serious of which could allow attackers to upload a web shell and escalate to remote code execution, if they can first trick an admin into clicking on a malicious link.
The remaining three high-impact discoveries are an arbitrary file write bug that allows authenticated attackers to upload any file with a crafted request; an arbitrary file read flaw due to lack of sanitization that allows actors to view files on the site outside the web directory, and an arbitrary file deletion vulnerability that's also due to a lack of sanitization.
The researchers also found three unauthenticated information disclosure flaws (low risk), an unrestricted file upload bug (medium risk), and a collection of unauthenticated administrative actions that are achievable simply by knowing the relative URL path (low risk).
In addition to Telfer, the Project Insecurity team is composed of researchers Brian Hyde, Cody Zacharias, Corben Leo, Daley Bee, Dominik Penner and Manny Mand.