OpenEMR is a popular, open-source software solution for the management of millions of electronic patient records worldwide. However, the software, until recently, also contained over 20 severe security issues.
Discovered by Project Insecurity and disclosed in a security advisory (.PDF), the team said the bugs included multiple instances of SQL injection flaws, multiple security problems which could lead to remote code execution, and vulnerabilities leading to unauthenticated information disclosure.
Additionally, threat actors could compromise the management system through unrestricted file upload errors, CSRFs including a CSRF to RCE proof-of-concept flaw, and processes which permitted unauthenticated administrative actions.
The security flaws found required no automated scanning or source code analysis tools; rather, they were uncovered simply by manually reviewing the source code and modifying requests with Burp Suite.
If an attacker utilized the vulnerabilities in attacks against OpenEMR, attackers could access patient records without authentication or permission, compromise database records, book appointments without permission, access sensitive system data, escalate privileges, upload files, and execute system commands.
The team reached out to the vendor on July 9. After agreeing on a four-week public disclosure release date, OpenEMR set to work resolving all of the vulnerabilities discovered.
An update resolving the bugs was released on August 7 in OpenEMR version 18.104.22.168.
OpenEMR said it was “thankful” for the responsible disclosure and made resolving the vulnerabilities a top priority as “one of the reported vulnerabilities did not require authentication.”
Countless enterprise firms and organizations rely on open-source software and components, and sometimes, bugs will slip through the net as many open-source projects rely on volunteers rather than structured DevOps teams.
This is not the first time OpenEMR has been given a hand with security. In 2017, researchers from Risk Based Security disclosed the existence of the setup script in the software, which could lead to complete compromise if exploited.
Electronic records may be a more convenient and efficient alternative to pen-and-paper, but we’ve already seen what lax security can cause when it comes to our medical data.
In July, SingHealth, Singapore’s largest group of medical establishments and organizations, suffered a data breach leading to the compromise of 1.5 million healthcare patients, including Prime Minister Lee Hsien Loong.
Patient names, national identification numbers, physical addresses, genders, and dates of birth were among the stolen data.