OpenEMR vulnerabilities put patients’ info, medical records at risk

A slew of vulnerabilities in OpenEMR allowed attackers to access random patients’ health records, view data from a target database, escalate their privileges on the server, execute system commands, and more.

What is OpenEMR?

OpenEMR is a free and open source electronic health records and medical practice management solution.

It’s one of the most popular electronic medical records management solutions in use today and it’s estimated that, worldwide, some 15,000 healthcare organizations of varying sizes are using it. The number of patient records it’s used to handle is believed to reach 100 million.

OpenEMR vulnerabilities

The discovery of the vulnerabilities is the result of a manual review of the software’s source code and modification of requests with Burp Suite Community Edition. The researchers – all working with cybersecurity outfit Project Insecurity – did not use automated scanners or source code analysis tools.

The vulnerabilities they discovered in OpenEMR v5.0.1.3 include a portal authentication bypass, several SQL injection and remote code execution flaws, unauthenticated information disclosure, unrestricted file upload, CSRFs, and unauthenticated administrative actions.

The portal authentication bypass is the most serious one as it would have allowed (unauthenticated) attackers to view and modify a person’s records. Accessing those records was as simple as navigating to the registration page and modifying the requested url to access the desired page.

“Some of the information which could be stolen as a result of this flaw includes patient demographics, all Electronic Medical Records, prescription and medical billing information, appointment schedules, and more,” Cody Zacharias, Red Team Lead, told DataBreaches.net.

More details about the vulnerabilities, the vulnerable code, and some PoCs can be found in this report published on Wednesday.

Remediation

The researchers disclosed their findings to the software maintainers and waited a month to disclose them to the public. They also offered advice on changes for remediating the flaws.

“The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR’s security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects,” noted Brady G. Miller, CEO of OpenEMR.org.

“The OpenEMR community takes security seriously and considered this vulnerability high priority since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.”

OpenEMR.org is known to be quick to react to responsable vulnerability disclosure and be grateful to researchers who take the trouble to poke through the software for security flaws.

The fact that the software is open source is one of the things that spurred Project Insecurity to dedicate their time to auditing the code, as it meant that they could test it without any negative legal implications.