Vulnerabilities have been discovered recently in the popular medical records management portal, OpenEMR. These vulnerabilities if left unattended would have renowned the medical practice management application control to the attackers. Of all the bugs, the one in the Patient Portal was probably the most malicious. People use the Patient Portal to access almost all of their medical data making it highly essential for them. OpenEMR has patched most of these bugs in time.
Bugs in the system
The cross-site scripting flaw in the Patient Portal allowed the researchers to gain unauthorized command execution on the OpenEMR servers. Insecure API permissions made unauthenticated access to the portal.
Command Injection Flaw
A command injection flaw was found in a feature of the system that created backups. Backtick characters were materialized in the shell command as:
echo “DELETE FROM layout_options WHERE form_id = ‘`touch sonarsource.txt;`’;” >> /tmp/export;
This happened due to a malicious payload in the system, viz.
The echo shell command enabled the attackers in executing subcommands in Linux by using certain characters like backticks in the echo shell command.
The API Permissions
Registering new users in the system saw the issue of insecure API permissions. The attackers could potentially use the fact that the session variable isn’t destroyed at the end of the file. How this could be done is given by:
- The attacker could create the first HTTP request to register. PHP will create a session & set its variable $_SESSION[‘register’] to true.
- Now since $ignoreAuth is set to true, the attacker can gain easy access to the dispatcher by surpassing authentication & not finishing the registration process.
This would allow the attacker to easily exploit the data in some time. Once the user logs in to their respective account, the attacker could benefit from it. The vulnerability would allow the attacker to modify or extract the patient’s data as per their will.
Whenever the user changes the password, the payload will be presented to the front end after being read by the user’s database. The corrupt username would then pave way for a malevolent HTML code. This would reach a response page via the user’s browser.
The Final Word
It was on the 24th of February 2020, four flaws were reported in the OpenEMR 220.127.116.11. To remedy these vulnerabilities, the company soon released a patch by the end of April.
SonarSource was appreciated by OpenEMR for disclosing these vulnerabilities & helping them improve application security.
They also mentioned that OpenEMR being an open-source product is well-positioned, especially considering that no software is free of vulnerabilities today. OpenEMR is used worldwide by a large number of people. By patching the bug in due time they have sent across a powerful statement to the Populus.