4 vulnerabilities have been discovered in the Open Clinic application for sharing electronic medical records. The most concerning of them would allow a remote, unauthenticated attacker to read patients’ personal health information (PHI) from the application.
4 security vulnerabilities in an open-source medical records management platform allow remote code execution, patient data theft and more.
According to researchers, the 4 bugs involve missing authentication; insecure file upload; cross-site scripting (XSS); & path-traversal. The most high-severity bug (CVE-2020-28937) emerges from a missing authentication check on requests for medical test information.
Authenticated healthcare users of the application can upload medical test documents for patients, which are then stored in the ‘/tests/’ directory. Unfortunately, there is no requirement for patients to sign in, in order to view the test results.
“Anyone with the full path to a valid medical test file could access this information, which could lead to loss of PHI for any medical records stored in the application,” according to the firm, writing in a Tues. posting.
Names of Files
A mitigating element is the fact that an attacker would need to know or guess the names of files stored in the “/tests/” directory in order to exploit the vulnerability.
“However, medical test filenames can be predictable, & valid filenames could also be obtained through log files on the server or other networking infrastructure,” researchers wrote.
Medical records are a ‘hot product’ on the cybercriminal underground — fraudsters bent on identity theft or phishing efforts can use the store of personal information to craft convincing campaigns.
A further vulnerability found by Bishop Fox allows an authenticated attacker to obtain remote code execution on the application server. This insecure file-upload bug (CVE-2020-28939) allows the Administrative & Administrator user roles to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the application server.
“Administrative users with the ability to enter medical tests for patients were able to upload files to the application using the ‘/open clinic/medical/test_new.php endpoint,’” according to Bishop Fox. “This endpoint did not restrict the types of files that could be uploaded to the application. So, it was possible to upload a file containing a simple PHP web shell.”
Malicious users of the application could use this vulnerability to obtain access to sensitive information, escalate privileges, install malicious programs on the application server, or use the server as a pivot point to gain access to the internal network.
A 3rd vulnerability, a medium-severity stored XSS vulnerability (CVE-2020-28938), allows an unauthenticated attacker to embed a payload that, if clicked by an admin user, would escalate privileges on the attacker’s account.
“While the application code contained measures to prevent XSS, it was found that these measures could be bypassed,” according to Bishop Fox. “HTML tags that could be included with user input were limited to a whitelist specified in /lib/Check.php.”
That means that in a real attack situation, attackers could send a malicious link to victims – which when clicked would allow them to force actions on behalf of another user, says Bishop Fox.
“To demonstrate impact, an XSS payload was embedded into a patient’s medical record with the lower-privileged Administrative user role,” researchers explained. “When clicked by an administrator, this payload created a new admin account under the attacker’s control, thereby allowing them to escalate privileges.”
The final vulnerability is a ‘low-impact path traversal issue’ (no CVE was assigned) that could allow an authenticated attacker to store files outside of designated directories on the application server.
“Admin users could upload new themes to the application through the ‘/admin/theme_new.php’ endpoint,” according to researchers. “This caused new files to be created under the css folder in the directory where Open Clinic was installed. It was possible to navigate out of the css folder & store the files elsewhere on the filesystem.”
Bishop Fox 1st found the bugs in late Aug. & made several attempts to contact the Open Clinic development team through email, with no response.
“There is no version of Open Clinic available that does not suffer from the identified vulnerabilities, & the recommendation is to switch to a different medical records management software,” researchers concluded.