Researchers have found three separate vulnerabilities in OpenEMR, an open-source software for electronic health records and medical practice management.
“During our security research of popular web applications, we discovered several code vulnerabilities in OpenEMR,” Brinkrolf wrote.
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure.”
The security expert explained that the company’s static application security testing (SAST) engine discovered that two of these three vulnerabilities combined could lead to unauthenticated remote code execution (RCE).
“In summary, an attacker can use the reflected XSS, upload a PHP file […] and then use the path traversal via the Local File Inclusion to execute the PHP file. It takes a few tries to figure out the appropriate Unix timestamp but eventually leads to remote code execution.”
As for the third vulnerability, it allowed attackers to configure OpenEMR in a certain way in order to eventually steal user data.
“In other words, if OpenEMR is set up correctly, an unauthenticated attacker can read files like certificates, passwords, tokens, and backups from an OpenEMR instance via a rogue MySQL server,” Brinkrolf explained.
The security researcher added that Sonar reported all issues to the OpenEMR maintainers on October 24, 2022, who then released a patch to version 7.0.0, fixing all three vulnerabilities seven days later.
“If you are using OpenEMR, we strongly recommend updating to the fixed versions mentioned above,” the Sonar post concluded. “We want to thank the OpenEMR team for their professional and fast responses and patches.”
The patched vulnerabilities come almost five years after researchers at Project Insecurity found over 20 flaws (now fixed) in OpenEMR.