Chained together, the flaws could imperil sensitive patient data and critical medical infrastructure

OpenEMR fixes serious flaws that lead to command execution in Patient Portal

Healthcare providers are urged to update their OpenEMR instances after the discovery of vulnerabilities that could surrender control of the medical practice management application to attackers.

Security researchers achieved unauthenticated command execution on OpenEMR servers thanks to a stored cross-site scripting (XSS) flaw in the open source platform’s Patient Portal, itself unauthenticated courtesy of insecure permissions in the API.

A malicious JavaScript payload could be injected into any user account even when the registration feature for new patients was disabled.

Doing so against an administrator account enabled attackers to “take over the entire server”, said Dennis Brinkrolf, security researcher at Swiss cybersecurity vendor SonarSource, in a blog post. This is demonstrated in the video below.

“Other, lower privileged user sessions can be misused to exploit” an SQL injection vulnerability also found by the researchers and “steal patient data from the database”.

The researchers praised the OpenEMR maintainers for rapidly patching the bugs.

OpenEMR says its PHP-based software is used by around 100,000 medical providers worldwide.

The Patient Portal, which is downloaded more than 5,000 times per month, is used by patients to access their medical records, book appointments, conduct virtual consultations, and pay medical bills.

Command injection

The command injection flaw was found in a feature for creating data backups.

The malicious payload ?form_sel_layouts[]=`touch sonarsource.txt;` resulted in backtick characters materializing in the shell command:

echo "DELETE FROM layout_options WHERE form_id = '`touch sonarsource.txt;`';" >> /tmp/export;

“The problem here is that the echo shell command uses double quotes and thus allows [attackers] to execute sub commands in Linux by using characters like backticks `` or $(),” said Brinkrolf.

“Once our backticks are found within the system command, our new, injected command is executed and the output result is inserted into the initial command.”

Persistent XSS

Attackers could inject a persistent XSS payload within the last name of an administrator account, which is then read from the user database and presented in the front end if, for example, the user changes their password.

Embedded into the HTML output without sanitization, the corrupted username then allows the insertion of malicious HTML code into the response page rendered by the administrator’s browser.

When <script> tags are injected into the last name, malicious JavaScript code can be executed that gives the attacker control of the victim’s browser.

RELATED Aetna agrees million-dollar settlement after healthcare data breaches violate HIPAA rules

Insecure API permissions

Insecure API permissions surfaced during the new user registration process. Because the session variable is not destroyed at the end of the file an attacker could “make the first HTTP request to register.php which creates a session and sets the session variable $_SESSION['register'] to true”, explained Brinkrolf.

“Then, without completing the registration, the attacker can access the dispatcher and bypass the authentication because $ignoreAuth is set to true.”

“The exploit is not difficult to pull off,” Johannes Dahse, head of R&D at SonarSource, told The Daily Swig.

“It can take some time for the attacker to succeed though”, since the attacker must wait for the user to log in and trigger the payload. 

Once achieved, however, “this could lead to the extraction or even modification of highly sensitive patient data.”

Brinkrolf included ways that developers might patch the flaws in the blog post to help other developers learn “how to write secure code”, added Dahse.


The four security flaws were found in OpenEMR

Dahse said SonarSource reported the vulnerabilities to OpenEMR on Februrary 24, and the OpenEMR team released a patch for the vulnerabilities on April 29.

OpenEMR released version 5.0.2 on August 11.

Robert Down, chief operations officer at the OpenEMR Foundation, thanked SonarSource for uncovering the vulnerabilities.

“OpenEMR is proud of our relationship with the security community and remains steadfast in our commitment to addressing any critical security vulnerabilities identified,” he told The Daily Swig.

“While no software is completely free of vulnerabilities, as an open source product, OpenEMR is well positioned to best identify and correct potential issues.”

YOU MIGHT ALSO LIKE Finnish mental health patients blackmailed after suspected data breach