Four vulnerabilities were identified in the OpenClinic software, the most critical of which could possibly permit unauthorized people to get around authentication and access protected health information (PHI).
A lot of private clinics, hospitals, and physician practices employ OpenClinic, a health record management system, for clinical, fiscal, and administration work.
A BishopFox Labs researcher discovered the four vulnerabilities in the application which are still not yet resolved. The most critical vulnerability allows missing authentication that can be used by hackers to get access to a patient’s medical test findings. Authenticated users of the application can upload the examination results of patients to the /tests/ directory of the system. When asking for files found in that directory, users don’t need to be authenticated to see the display of test data.
So as to obtain the test data, an unauthenticated user might need to make a guess of the names of the files; but, the BishopFox researcher mentioned that medical test file names are often easy to guess and acquired via the log files on the server. Hackers could remotely take advantage of the vulnerability (CVE-2020-28937), which was assigned a high severity rating.
Vulnerability (CVE-2020-28939) has a high severity rating and allows an insecure file upload so that users having administrative or administrator user functions could upload malicious files to the system. The researcher mentioned that users who are authorized to input medical data for patients could upload files without restricting file types. Therefore, it would be possible to transfer web shells, which can be employed for arbitrary code execution on the program server. A malicious actor having an administrative or administrator user role may get sensitive details, escalate privileges, set up a malicious software program, or acquire access to the internal system.
The third vulnerability (CVE-2020-28938) was given a rating of medium-severity. This cross-site scripting vulnerability lets application users perform actions for other users. There are control settings integrated into the software to avoid cross-site scripting; still, those settings can be avoided. A low-privileged user can exploit the vulnerability if he could make an Administrator click a malicious hyperlink, which may be employed to implement a payload that generates a new Administrator account for the user having low privileges.
The last vulnerability is a path traversal vulnerability given a low-severity score. An attacker can take advantage of this vulnerability in a denial of service attack impacting the upload feature. The vulnerability permits an authenticated hacker to write files to the server’s filesystem.
Gerben Kleijn, the Senior Security Consultant at Bishop Fox, identified the vulnerabilities. When the issue was announced, no version of OpenClinic is free of the discovered vulnerabilities. Users are advised to use an alternative medical records management system.
These are not the first serious vulnerabilities to be identified in OpenClinic this year. In July, an alert was issued by CISA about 12 vulnerabilities in the software, 3 of which were rated critical and 2 high severity.