OpenEMR flaw leaves millions of medical records exposed to attackers

A vulnerability in the free, open source electronic medical record and medical practice management software OpenEMR can be exploited to steal patients’ medical records and other personally identifiable information, Risk Based Security warns.

OpenEMR flaw

OpenEMR is used all over the world. 2012 estimates put the number of US installations (physician offices and other small healthcare facilities) over 5,000, and global numbers over 15,000. Among the users are the International Planned Parenthood Federation and the Peace Corps.

The flaw was discovered by company researchers while reviewing previously discovered security issues in OpenEMR, and responsibly disclosed to the developers. The fix has been pushed out in early November, in the 6th patch for OpenEMR v5.0.0.

About the vulnerability

The vulnerable component is the setup.php installation script, which allows users to easily install the application through a web browser.

Isaac Sears, who released details and exploit code for another SQL flaw involving the setup.php script in late October, found that it could allow unauthenticated remote database copying because it exposes functionality for cloning an existing OpenEMR site to an attacker-controlled MySQL server.

But, as RBS researchers noted, the vulnerability they found has a broader scope.

“The impact of the issue reported by Isaac Sears is a bit different, as it ‘only’ allows to clone the database to a remote site including, for example, password hashes. However, even after applying the patch it was still possible to abuse setup.php to instantiate a new so-called site, with a separate configuration, connecting to a remote MySQL database,” Risk Based Security researcher Sven Krewitt told Help Net Security.

“The settings of each new site include MySQL database parameters, which can arbitrarily be chosen by an attacker. Specifying a remote, attacker-controlled MySQL database during a new site-setup would, therefore, create an additional OpenEMR instance connecting to a remote MySQL server. In addition, the administrator account can be specified during a rogue multi-site installation, causing authentication for the new site to now use the remote database. This approach allows an unauthenticated, remote attacker to gain administrative access to the current and original OpenEMR installation,” the researchers explained in a write-up published on Tuesday.

“Having access with administrator privileges to an OpenEMR instance is considered critical, but the site databases are separated from each other. However, the administrator can edit local PHP files via the ‘Administration/Files’ menu. This allows inserting arbitrary PHP code, which is executed in context of the web server. This ultimately allows getting full control of the installation and e.g. disclose all stored patient data in the database or the file system.”

Problem solved

As mentioned before, this latest vulnerability has been patched over two weeks ago.

“The details we reported to the vendor resulted in OpenEMR 5.0.0 Patch 6, which ensures that *all* critical functionality is now restricted by default,” Krewitt told us.

In addition to this, the OpenEMR dev team added a security warning in the OpenEMR wiki, advising users to remove the setup.php script after installation/upgrade, as it isn’t needed for general OpenEMR use.

Exploitation of this latest flaw hinges on directory permissions allowing the configuration of a new site, but RBS researchers’ scan of Internet-accessible OpenEMR installations revealed that over half had insecure permissions that allowed the attack.

“This further supports the concern of software being installed in the cloud and improperly locked down. While we still believe that other installations on private networks are affected, the fact that these cloud installations are impacted means that many organizations’ and patients’ data is quite likely currently exposed,” they noted.

Don't miss