[BreachExchange] Electronic Medical Records Cracked Open by OpenClinic Bugs

[Destry Winant]

https://threatpost.com/electronic-medical-records-openclinic-bugs/161722/

Four security vulnerabilities in an open-source medical records
management platform allow remote code execution, patient data theft
and more.

Four vulnerabilities have been discovered in the OpenClinic
application for sharing electronic medical records. The most
concerning of them would allow a remote, unauthenticated attacker to
read patients’ personal health information (PHI) from the application.

OpenClinic is an open-source health records management software; its
latest version is 0.8.2, released in 2016, so the flaws remain
unpatched, researchers at Bishop Fox said. The project did not
immediately return Threatpost’s request for comment.

According to researchers, the four bugs involve missing
authentication; insecure file upload; cross-site scripting (XSS); and
path-traversal. The most high-severity bug (CVE-2020-28937) stems from
a missing authentication check on requests for medical test
information.

Authenticated healthcare users of the application can upload medical
test documents for patients, which are then stored in the ‘/tests/’
directory. Unfortunately, there’s no requirement for patients to sign
in in order to view the test results.

“Anyone with the full path to a valid medical test file could access
this information, which could lead to loss of PHI for any medical
records stored in the application,” according to the firm, writing in
a Tuesday posting.

A mitigating factor is the fact that an attacker would need to know or
guess the names of files stored in the “/tests/” directory in order to
exploit the vulnerability.

“However, medical test filenames can be predictable, and valid
filenames could also be obtained through log files on the server or
other networking infrastructure,” researchers wrote.

Medical records are a hot commodity on the cybercriminal underground —
fraudsters bent on identity theft or phishing efforts can use the
store of personal information to craft convincing campaigns.

Other Bugs

Another vulnerability found by Bishop Fox allows an authenticated
attacker to obtain remote code execution on the application server.
This insecure file-upload bug (CVE-2020-28939) allows the
Administrative and Administrator user roles to upload malicious files,
such as PHP web shells, which can lead to arbitrary code execution on
the application server.

“Administrative users with the ability to enter medical tests for
patients were able to upload files to the application using the
‘/openclinic/medical/test_new.php endpoint,'” according to Bishop Fox.
“This endpoint did not restrict the types of files that could be
uploaded to the application. As a result, it was possible to upload a
file containing a simple PHP web shell.”

Malicious users of the application could use this vulnerability to
obtain access to sensitive information, escalate privileges, install
malicious programs on the application server, or use the server as a
pivot point to gain access to the internal network.

A third vulnerability, a medium-severity stored XSS vulnerability
(CVE-2020-28938), allows an unauthenticated attacker to embed a
payload that, if clicked by an admin user, would escalate privileges
on the attacker’s account.

“While the application code contained measures to prevent XSS, it was
found that these measures could be bypassed,” according to Bishop Fox.
“HTML tags that could be included with user input were limited to [a]
whitelist specified in /lib/Check.php.”

That means that in a real attack scenario, attackers could send a
malicious link to victims – which when clicked would allow them to
force actions on behalf of another user, according to Bishop Fox.

“To demonstrate impact, an XSS payload was embedded into a patient’s
medical record with the lower-privileged Administrative user role,”
researchers explained. “When clicked by an administrator, this payload
created a new admin account under the attacker’s control, thereby
allowing them to escalate privileges.”

The last vulnerability is a low-impact path traversal issue (no CVE
was assigned) that could allow an authenticated attacker to store
files outside of designated directories on the application server.

“Admin users could upload new themes to the application through the
‘/admin/theme_new.php’ endpoint,” according to researchers. “This
caused new files to be created under the css folder in the directory
where OpenClinic was installed. It was possible to navigate out of the
css folder and store the files elsewhere on the filesystem.”

Bishop Fox first found the bugs in late August, and made several
attempts to contact the OpenClinic development team through email,
with no response.

“There is no version of OpenClinic available that does not suffer from
the identified vulnerabilities, and the recommendation is to switch to
a different medical records management software,” researchers said.