The multitude of vulnerabilities – since fixed – were found without the use of automated testing tools
A team of seven researchers have discovered more than 20 security vulnerabilities in OpenEMR, an open source application used worldwide for the electronic management of medical records of nearly 100 million people.
In keeping with the principles of responsible disclosure, Project Insecurity researchers informed OpenEMR developers of security vulnerabilities well in advance before releasing their findings. This allowed the developers to release an update on July 20 to 220.127.116.11 that fixes the bugs. The team’s findings are detailed in this vulnerability report, describing the flaws in the previous version of the software (18.104.22.168).
Interestingly, the researchers did not rely on any automated testing tools to identify the security vulnerabilities, most of which were deemed to be serious. âThe vulnerabilities disclosed in this report were discovered by manually examining the source code and modifying the requests with Burp Suite Community Edition, no automated scanners or source code analysis tools were used,â they wrote.
More importantly, among the bugs was one that made it easy to bypass Patient Portal authentication. âAn unauthenticated user can bypass the patient portal login by simply going to the registration page and changing the requested URL to the desired page,â the report read.
Speaking to DataBreaches.net, the head of the company’s red team, Cody Zacharias, said, âThe authentication bypass vulnerability was the most significant vulnerability discovered by our team, because not only does it open the web application to SQL injection, but it also gives the attacker the ability to view and tamper with a person’s records affecting both the confidentiality and integrity of the DME.
Additionally, the team discovered a host of remote code execution flaws and multiple instances of SQL injection vulnerabilities. OpenEMR was also left open to attacks through arbitrary read, write, and delete vulnerabilities, unrestricted file download vulnerability, as well as several cross-site request tampering bugs that allowed execution of remote code.
Project Insecurity CEO Matt Telfer told DataBreaches.net why they chose to look at the OpenEMR code: from the regular processing of medical records to their electronic processing and security implications, so we decided to look at the EMR / EHR systems. After some research on Google, we found that OpenEMR was the most widely deployed open source electronic medical record application on the Internet. And the fact that it was open source meant we could test it without any negative legal implications. “
Meanwhile, OpenEMR.org CEO Brady G. Miller expressed appreciation for Project Insecurity’s initiative: âThe OpenEMR community is very grateful to Project Insecurity for its report, which has led to improved security. of OpenEMR. Responsible reporting of security vulnerabilities is an invaluable asset for OpenEMR and all open source projects.
Needless to say, healthcare facilities that use OpenEMR are well advised to update their systems if they haven’t already.