Security researchers has discovered critical flaws in OpenEMR software which allows attackers to gain unauthorized access to medical records.
OpenEMR software is one of the most widely used open source medical practice management software which also supports Electronic Medical Records.
Researchers at Project Insecurity discovered the vulnerabilities, and a total of 23 flaws were reported in the detailed analysis done by the researchers in which 15 of them were rated as ‘high severity.’
“Some examples of vulnerabilities detailed below include a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.” said in the analysis report published by Project Insecurity researchers.
One of the critical vulnerability allows an unauthenticated user to bypass the patient login page by simply navigating to the registration page and modify the URL to access the desired page.
Normally to visit these page requires user authentication and pages which can be accessed through this way are patient profiles and records, lab results, payment portal.
Attackers could also gain access to the database storing sensitive information by combining the above flaw with one of the nine SQL injections vulnerabilities.
Researchers also spotted 4 remote code execution vulnerabilities and vulnerabilities which can be exploited to view, upload and modify files in the system. However, they all require authentication.
The other vulnerabilities discovered are three unauthenticated information disclosure flaw (low severity), an unrestricted file upload flaw (medium severity) and some more which were classified as low or medium severity.
The vulnerabilities were notified to OpenEMR software company, and patches were rolled for all flaw on July 20th by the company.
Project Insecurity team has published a detailed analysis reports on the vulnerabilities which can be viewed here.