Users urged to abandon open source application after maintainers fail to respond to disclosure

Zero-day vulnerabilities in healthcare records application OpenClinic could expose patients' test results

UPDATED Unpatched vulnerabilities in the OpenClinic healthcare records management application could allow attackers to access confidential patient data.

Some of four zero-day vulnerabilities discovered by security researchers at Bishop Fox also pose a threat to corporate networks containing the vulnerable technology.

Gerben Kleijn, senior security consultant at Bishop Fox, has urged users to switch to alternative healthcare software packages after disclosing his findings to the project maintainers and failing to receive a response.

Bishop Fox told The Daily Swig that the security bugs are “trivial to exploit”.

OpenClinic is an open source health records management application written in PHP and available in English, Spanish, Dutch, and Mandarin languages.

Bishop Fox estimates that the userbase “is small based on forum activity and weekly downloads”, although the latter “may also be due to the lack of updates. There are still active user posts in the forum, which indicates some usage”.

SourceForge provides a map of download locations.

Missing authentication check

The most severe of the flaws uncovered by Kleijn in OpenClinic is a high severity missing authentication check on requests issued to the medical test endpoint.

As a result, unauthenticated attackers could successfully request files containing sensitive documents from the medical test directory, creating a potential mechanism to access patients’ test results in the process.

Assigned a ‘high’ severity rather than ‘critical’ rating, the bug’s exploitability is mitigated by the fact that “an attacker would need to know or guess the names of files stored under /tests/,” said Kleijn in a security advisory.

Nevertheless, this barrier is far from insurmountable, the researcher suggested.

“Medical test filenames can be predictable, and valid filenames could also be obtained through log files on the server or other networking infrastructure,” he explained.

Catch up on the latest healthcare security news

File upload flaw

A high risk, insecure file upload vulnerability, meanwhile, means authenticated miscreants can achieve remote code execution (RCE) on the application server, then access sensitive information, escalate privileges, install malware, “or use the server as a pivot point to gain access to the internal network”.

Users with administrative privileges could upload a malicious file to the /openclinic/medical/test_new.php endpoint, call the file directly in the web root from the /tests endpoint, then execute operating system commands, according to Kleijn.

Because the endpoint does not restrict the types of file that can be uploaded, the researcher successfully uploaded a file containing a simple PHP web shell.

Stored XSS

Demonstrated by proof-of-concept JavaScript code that chains multiple requests, a third, medium severity bug allows pre-authenticated attacks that embed a malicious payload within a medical record’s address field.

Researchers fashioned a cross site scripting (XSS) payload – <a href="javascript:alert('xss')">xss</a> – that “did not get filtered out from user input” by the XSS protection mechanism, said Kleijn.

If a victim with higher, administrator privileges can be induced into clicking on a malicious link, the payload creates a new administrator account under the attacker’s control.

Finally, a path traversal issue could “allow an authenticated attacker to store files outside of designated directories on the application server”, but this was only low impact because “existing files could not be overwritten.”

‘Left hanging’

Kleijn discovered the vulnerabilities on August 20, and the project maintainers have since failed to respond to three attempts to alert them to the issues – twice by email and once on the OpenClinic public forum – on August 28, September 28, and November 4.

In line with its 90-day disclosure policy, Bishop Fox published its findings yesterday (December 1).

The latest version of OpenClinic, V0.8.2, was released in April 2016. However, Bishop Fox says all versions of the application contain the flaws.

“It appears that the project was abandoned and is no longer maintained,” Bishop Fox told The Daily Swig.

“Unfortunately, it can be challenging to migrate away from a solution once it has been adopted.

“Ideally, projects will be smoothly transitioned to a new team of maintainers or formally deprecated. In this case, users were left hanging and will need to determine their own path forward.”

The Daily Swig has reached out to the project maintainers of OpenClinic for comment and will update this article accordingly if we receive a response.

This article was updated on December 2 with comments from Bishop Fox.

RELATED Healthcare security: OpenEMR fixes serious flaws that lead to command execution in patient portal