Some of the vulnerabilities discovered by researchers in OpenEMR software can be exploited remotely by hackers to access medical data and compromise health infrastructures.
OpenEMR is open source management software for healthcare organizations. The free application is very popular and offers a variety of options for managing medical records and medical practices.
Researchers from Swiss quality and security model provider SonarSource discovered earlier this year that OpenEMR is vulnerable to four types of vulnerabilities that affect servers that use the Patient Portal component.
The list of vulnerabilities includes command injection, persistent cross-site scripting (XSS), unprotected API access rights and SQL injection.
The Patient Portal enables healthcare organisations to perform a variety of tasks online, such as B. communicating with doctors, completing new patient registration forms, making appointments, making payments and applying for prescriptions.
However, Sonar source researchers have discovered that an attacker can take full control of the OpenEMR server if the patient portal is enabled and accessible via the Internet by linking vulnerabilities in the discovered chain.
According to SonarSource, the patient portal has its own API interface that makes it possible to check all portal actions. Using this API requires authentication, but researchers have found a way to bypass this by giving them access to patient data and modifying it or modifying information about end users, such as administrators.
An attacker who is able to modify an administrator account’s data can use the persistent XSS vulnerability to inject malicious code that is executed when the attacker logs into his account.
On the other hand, if an attacker targets a user with lower privileges instead of an administrator, he can exploit the vulnerability of an SQL injection to access the patient’s database and steal potentially valuable data.
XSS usage and command injection errors require administrative privileges, but an SQL injection error can be used with normal user rights.
SonarSource discovered vulnerabilities in OpenEMR 184.108.40.206 and was repaired in August with the release of 220.127.116.11. The details of the shortcomings have only now been released to give users sufficient time to install the update.
That’s what it looks like: Serious OpenEMR deficiencies Disclosure of medical records
That’s what it looks like: The U.S. Food and Drug Administration (FDA) has approved the use of a new medical device vulnerability assessment tool.
That’s what it looks like: DHS warns for critical defects in Medtronic Medical Devices
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :