Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities in Popular Open Source Management Tool Expose Hospitals to Attacks

A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.

A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.

OpenClinic GA is described as an “integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data.” The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.

Brian Hysell, a senior consultant at the Synopsys Software Integrity Group, discovered that the software is affected by a dozen vulnerabilities, most of which have been classified as critical or high severity based on their CVSS score. The flaws can be exploited to bypass access controls and account protections, obtain sensitive information, upload and execute arbitrary files, and execute arbitrary code or commands.OpenClinic GA vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory describing the issues identified by Hysell.

The researcher told SecurityWeek that he reported his findings to the vendor, via ICS-CERT, in August 2018. He says he has not communicated directly with the developer, who told ICS-CERT in March 2019 that most of the vulnerabilities had been patched in the latest release. However, communications with the developer were apparently poor and it’s unclear exactly which of the flaws have been patched.

Hysell explained that several of the vulnerabilities could be chained together to allow an attacker who has access to the application via a web browser to conduct various activities, including to view or modify the content of databases (including patient data), or install malware on the server hosting OpenClinic GA, which can allow the attacker to move deeper into the targeted organization’s network.

“One example: a defect in a way the application checked passwords during login (CVE-2020-14494) allowed any user’s account, no matter how complex their password was, to be brute-forced after only a few thousand attempts — a few hundred in many cases. This should have been mitigated by the account lock-out initiated after a number of failed login attempts, but another vulnerability (CVE-2020-14484) meant that an attacker could use a formula hard-coded in the application to generate the ‘unlock code’ for the account,” Hysell said.

“Once logged in to the application, an attacker could try to access a page in the administration panel that accepted arbitrary SQL database queries. This page is supposed to be accessible only to administrators, but a missing authorization check (CVE-2020-14486) meant that an attacker could still use it even if the account he or she had brute-forced was not an administrator. And along with running regular database queries, this form could be used to run a query that would write a web shell to the server (CVE-2020-14493), allowing the attacker to run OS commands or install malware on the server.

“Other bugs (CVE-2020-14485) in the application’s session management allowed attackers to bypass login entirely; they could only access certain portions of the application, but crucially, those included that same SQL query panel,” he added.

Advertisement. Scroll to continue reading.

The researcher says it might be possible to exploit some of the vulnerabilities directly from the internet if an organization has configured the application to be remotely accessible.

“I am aware of a couple of internet-exposed instances, but OpenClinic GA’s default configuration doesn’t lend itself to ‘passively’ identifying instances in databases like Shodan. An attacker could actively seek them out with an application-layer network scanner like ZGrab, but I haven’t done so,” he explained.

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: GE Says Anesthesia Machine Vulnerability Poses No Risk to Patients

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.