Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data

Vulnerabilities in open source health records management software OpenEMR could lead to patient data compromise, remote code execution (RCE).

Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.

OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.

Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).

“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns.

The first of the identified issues is described as an unauthenticated arbitrary file read and exists because the OpenEMR installer does not delete itself after the installation is completed.

Because the installation process is divided into several steps, an unauthenticated attacker could abuse a user-controlled parameter to perform some of these steps (but not a complete setup).

The attacker can invoke a function to read the current theme from the database, which results in a database connection being established using attacker-controlled properties.

A MySQL statement can be used to load the contents of a file to the database table, and a modifier can be supplied so that the file is read from the client instead of the server.

Advertisement. Scroll to continue reading.

“A malicious server can request the content of another file, even in response to a totally different query from the client,” Sonar notes.

This allows an unauthenticated attacker to use a rogue MySQL server to read OpenEMR files such as backups, certificates, passwords, and tokens.

Sonar also discovered that an attacker could abuse a cross-site scripting (XSS) flaw to execute JavaScript code in the victim’s browser. The attacker can upload a PHP file and exploit a local file inclusion (LFI) to achieve RCE.

The XSS exists because, when requesting a PHP file, the browser first renders the HTML code, and only then the JavaScript context, which allows the attacker to use HTML entities within an event handler.

The LFI, Sonar explains, exists because a user-controlled variable is concatenated to a path and not sanitized, which allows an attacker to upload a PHP file and use a path traversal via the LFI to execute the file.

Sonar reported the security defects in October 2022. One month later, the vendor patched all bugs by adding sessions and CSRF checks and restricting the installation process, by encoding the character ‘&’ for an HTML entity to prevent the XSS, and by sanitizing the user-controlled parameter to prevent the LFI.

OpenEMR version 7.0.0 resolves all vulnerabilities. Users are advised to update their installations as soon as possible.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Exploitation of Control Web Panel Vulnerability Starts After PoC Publication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.