Critical vulnerabilities discovered in OpenEMR can be chained to gain code execution on a server running a vulnerable version of the popular open-source electronic health record system.
Discovered, privately reported and now publicly documented by researcher Dennis Brinkrolf, the vulnerabilities have been promptly patched by the OpenEMR maintainers at the end of November 2022.
OpenEMR is an electronic health record (EHR) system and medical practice management solution that “is used by more than 100,000 medical providers serving more than 200 million patients” around the globe.
The open-source OpenEMR project is supported by the nonprofit OpenEMR Foundation, and is maintained by hundreds of volunteers and professionals. The OpenEMR Foundation’s guiding vision is “A world where every health care provider has access to high-quality health care information technology.”
As others previously noted, OpenEMR being open source is great for security researchers who want to probe it for vulnerabilities, as they can do it without worrying about negative legal consequences. In fact, the security of open source solutions relies on and is strengthened by such efforts.
About the vulnerabilities
Brinkrolf found three vulnerabilities by analyzing the software’s code with the SonarSource’s static application security testing (SAST) engine:
- An Anauthenticated File Read
- An Authenticated Local File Inclusion
- An Authenticated Reflected XSS
The first one may allow an unauthenticated attacker to leverage a rogue MySQL server to read arbitrary files from an OpenEMR instance, including certificates, passwords, tokens, and backups. The latter two can be used to take over an open, vulnerable OpenEMR instance. SonarSource’s advisory offers more in-depth technical detail about each of these flaws.
The good news is that the OpenEMR maintainers have fixed these vulnerabilities in less then a week, and have pushed out a patch/new version of the software (v7.0.0). Organizations that use OpenEMR are advised to upgrade to that version sooner rather than later (if they haven’t already).