[BreachExchange] Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Destry Winant destry at riskbasedsecurity.com
Wed Aug 8 23:07:50 EDT 2018


https://www.theregister.co.uk/2018/08/07/openemr_vulnerabilities/

Fresh light has been shed on a batch of security vulnerabilities
discovered in the widely used OpenEMR medical records storage system.

A team of researchers at Project Insecurity discovered and reported
the flaws, which were patched last month by the OpenEMR developers in
version 5.0.1.4. With the fixes now having been out for several weeks,
the infosec crew on Tuesday publicly emitted full details of the
critical security bugs, with a disclosure [PDF] so long it has its own
table of contents.

Any medical provider that has yet to update to the latest version of
the open-source OpenEMR software is well advised to do so now, before
some miscreant exploits the holes to nab sensitive records.

Among the list of bugs found by Project Insecurity are four remote
code execution flaws; nine SQL injection vulnerabilities; arbitrary
read, write and deletion bugs; three information disclosure flaws; a
cross-site request forgery allowing for remote code execution; deep
breath; an unrestricted file upload hole; a patient portal
authentication bypass flaw; and administrative actions that can be
performed simply by guessing a URL path.

Delicious source

Perhaps what is most impressive is that Project Insecurity gang –
Brian Hyde, Cody Zacharias, Corben Leo, Daley Bee, Dominik Penner,
Manny Mand, and Matthew Telfer – said all of the bugs were discovered
by a team of seven researchers poring over source code without the use
of any automated testing tools.

"We set up our OpenEMR testing lab on a Debian LAMP server with the
latest source code downloaded from GitHub," the Insecurity team
explained.

"The vulnerabilities disclosed in this report were found by manually
reviewing the source code and modifying requests with Burp Suite
Community Edition, no automated scanners or source code analysis tools
were used."

In disclosing the flaws, Insecurity's researchers make a number of
recommendations to the OpenEMR community to avoid the introduction of
further vulnerabilities, including the use of parameterized database
queries in PHP scripts (to prevent SQL injection) and limiting uploads
only to non-executable image files (to patch the arbitrary file
upload-and-run hole).

Other bugs, such as the remote code execution and cross-site request
forgery flaws, will require developers getting up to speed and
implementing best practices for writing secure code.

"Obviously, if a malicious user were to convince an administrator to
click a certain link, that malicious user could successfully pop a
shell on their target," the researchers noted. "Nearly all of
OpenEMR’s administrative actions are vulnerable to CSRF one way or
another."

OpenEMR bills itself as "the most popular open source electronic
health records and medical practice management solution." ®


More information about the BreachExchange mailing list