A large number of vulnerabilities in OpenEMR enabled attackers to access patients' health records, see data from a target databases, raise their access on the server, execute system commands, and that's only the tip of the iceberg.
What is OpenEMR?
OpenEMR is a free and open source electronic health records and healthcare practice management software.
It is believed that more than 15000 healthcare organization across the globe use openEMR as their electronic medical records solution. The number of patient records managed through openEMR is estimated to be more than 100 million.
The revelation of the vulnerabilities was the result of a manual survey of the software's source code and modifications request with Burp Suite Community Edition. The researchers – all working with cyber security outfit Project Insecurity – did not utilize automated scanners or any source code analysis tools.
The vulnerabilities they found in OpenEMR v22.214.171.124 incorporated an portal authentication bypass, SQL injection and remote code execution bugs, unauthenticated information divulgence, unhindered document transfer, CSRFs, and unauthenticated administrative actions.
The portal authentication bypass is the most dangerous one as it would have permitted (unauthenticated) users (or attackers) to view and modify an individual's health records. Accessing those records was as straightforward as exploring the registration page and modifying the url to access the required page.
"Some of the data which could be stolen because of this imperfection are patient demographics, all Medical Records, prescriptions and medical billing data, appointments scheduled and much more" Cody Zacharias, Red Team, told DataBreaches.net.
More insights regarding the vulnerabilities, the vulnerable code, and some POCs can be found in this report.
The researchers revealed their discoveries to the software vendors and waited up to a month before they unveiled them to the public. They also offered advice on changes for remediating the defects.
“The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR’s security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects,” noted Brady G. Miller, CEO of OpenEMR.org.
“The OpenEMR community takes security seriously and considered this vulnerability high priority since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.”
OpenEMR.org is known to rush to respond to responsible powerlessness revelation and be appreciative to researchers who go out of the way to jab through the software for security defects.
The way that the software is open source is something that prodded Project Insecurity to devote their opportunity to inspecting the code, as it implied that they could test it with no negative legal ramifications.