Four security vulnerabilities in an open up-supply professional medical documents administration platform enable remote code execution, individual facts theft and far more.
4 vulnerabilities have been discovered in the OpenClinic software for sharing digital clinical records. The most about of them would allow a remote, unauthenticated attacker to go through patients’ personal wellbeing information (PHI) from the application.
OpenClinic is an open up-resource health and fitness documents administration software its latest model is .8.2, launched in 2016, so the flaws stay unpatched, researchers at Bishop Fox claimed. The venture did not right away return Threatpost’s request for comment.
According to researchers, the four bugs entail lacking authentication insecure file add cross-site scripting (XSS) and path-traversal. The most large-severity bug (CVE-2020-28937) stems from a missing authentication test on requests for medical check info.
Authenticated health care customers of the software can add professional medical take a look at files for people, which are then stored in the ‘/checks/’ listing. Unfortunately, there’s no need for patients to indication in in buy to check out the test effects.
“Anyone with the whole path to a legitimate medical take a look at file could accessibility this data, which could guide to decline of PHI for any clinical documents saved in the software,” in accordance to the company, composing in a Tuesday publishing.
A mitigating factor is the simple fact that an attacker would need to have to know or guess the names of information stored in the “/checks/” directory in order to exploit the vulnerability.
“However, medical test filenames can be predictable, and valid filenames could also be attained via log information on the server or other networking infrastructure,” researchers wrote.
Health care data are a incredibly hot commodity on the cybercriminal underground — fraudsters bent on identification theft or phishing efforts can use the retailer of own facts to craft convincing campaigns.
A further vulnerability identified by Bishop Fox enables an authenticated attacker to receive distant code execution on the application server. This insecure file-upload bug (CVE-2020-28939) enables the Administrative and Administrator user roles to upload destructive data files, this kind of as PHP web shells, which can guide to arbitrary code execution on the software server.
“Administrative consumers with the capacity to enter professional medical exams for clients have been in a position to add files to the application utilizing the ‘/openclinic/health care/exam_new.php endpoint,’” in accordance to Bishop Fox. “This endpoint did not limit the forms of information that could be uploaded to the application. As a final result, it was feasible to upload a file containing a simple PHP web shell.”
Destructive consumers of the application could use this vulnerability to obtain entry to delicate info, escalate privileges, set up destructive packages on the software server, or use the server as a pivot place to gain access to the inner network.
A 3rd vulnerability, a medium-severity stored XSS vulnerability (CVE-2020-28938), will allow an unauthenticated attacker to embed a payload that, if clicked by an admin user, would escalate privileges on the attacker’s account.
“While the application code contained measures to avoid XSS, it was found that these steps could be bypassed,” according to Bishop Fox. “HTML tags that could be bundled with person input had been constrained to [a] whitelist specified in /lib/Look at.php.”
That implies that in a real attack circumstance, attackers could ship a destructive backlink to victims – which when clicked would permit them to drive actions on behalf of a different consumer, according to Bishop Fox.
“To exhibit influence, an XSS payload was embedded into a patient’s health care document with the decrease-privileged Administrative user function,” researchers spelled out. “When clicked by an administrator, this payload created a new admin account less than the attacker’s management, thus allowing them to escalate privileges.”
The last vulnerability is a reduced-effects route traversal issue (no CVE was assigned) that could let an authenticated attacker to store documents outside of selected directories on the software server.
“Admin people could add new themes to the software by the ‘/admin/topic_new.php’ endpoint,” according to scientists. “This brought on new documents to be produced less than the css folder in the directory in which OpenClinic was installed. It was doable to navigate out of the css folder and keep the files somewhere else on the filesystem.”
Bishop Fox 1st identified the bugs in late August, and designed quite a few makes an attempt to get in touch with the OpenClinic enhancement workforce via email, with no response.
“There is no edition of OpenClinic available that does not suffer from the determined vulnerabilities, and the suggestion is to switch to a various medical information administration computer software,” researchers said.
Put Ransomware on the Run: Save your spot for “What’s Future for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Obtain out what is coming in the ransomware globe and how to struggle back.
Get the most up-to-date from earth-class security experts on new varieties of attacks, the most perilous ransomware menace actors, their evolving TTPs and what your business demands to do to get forward of the next, inevitable ransomware attack. Sign-up in this article for the Wed., Dec. 16 for this Dwell webinar.
Some parts of this report are sourced from: