On Tuesday (August 7th), a group of researchers publicly disclosed 22 security vulnerabilities that existed in OpenEMR software. OpenEMR is a widely used medical practice management software that supports electronic medical records. In this disclosed vulnerability, a portal authentication bypass vulnerability was included that allowed an attacker to access any patient’s records.
The research team, which called itself Project Insecurity, pointed out that they downloaded OpenEMR version 220.127.116.11 from GitHub and manually analyzed their source code without using automated testing tools. Although none of the vulnerabilities could be rated as Critical, 17 of the 22 vulnerabilities were considered to be of higher severity.
In an interview with the media, Project Insecurity CEO Matt Telfer explained why this portal authentication bypass vulnerability is probably the most important discovery. “Some of the information which could be stolen as a result of this flaw includes patient demographics, all electronic medical records, prescription and medical billing information, appointment schedules, and more. There are almost 100 million patients’ records stored in total, with over 10 million of those… within the USA.”
According to the report, the successful exploitation of this vulnerability allows an attacker to access a portal page that typically requires login authentication. It’s worth noting that the method of exploiting the vulnerability is not complicated. You only need to navigate to the registration page and modify the requested URL to access many pages, including the payment page, the patient profile page, and the lab results page. In fact, after being able to access the profile page successfully, the researcher can extract the personal data of any patient.
Project insecure found that attackers could use this portal authentication bypass vulnerability in conjunction with the eight SQL injection vulnerabilities found in OpenEMR’s PHP code snippet to access data in the target database and destroy patient records. And perform various database operations without authorization. Also, Project Insecurity has discovered four Remote Code Execution (RCE) vulnerabilities that could allow an attacker to issue system commands or upgrade their privileges.
Project Insecurity, a team of Matt Telfer, Brian Hyde, Cody Zacharias, Corben Leo, Daley Bee, Dominik Penner, and Manny Mand, pointed out in a 28-page vulnerability analysis report that OpenEMR developers are already on July 20. A series of patches were released to fix these vulnerabilities.