A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.
OpenClinic GA is described as an “integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data.” The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.
Brian Hysell, a senior consultant at the Synopsys Software Integrity Group, discovered that the software is affected by a dozen vulnerabilities, most of which have been classified as critical or high severity based on their CVSS score. The flaws can be exploited to bypass access controls and account protections, obtain sensitive information, upload and execute arbitrary files, and execute arbitrary code or commands.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory describing the issues identified by Hysell.
The researcher told SecurityWeek that he reported his findings to the vendor, via ICS-CERT, in August 2018. He says he has not communicated directly with the developer, who told ICS-CERT in March 2019 that most of the vulnerabilities had been patched in the latest release. However, communications with the developer were apparently poor and it’s unclear exactly which of the flaws have been patched.
Hysell explained that several of the vulnerabilities could be chained together to allow an attacker who has access to the application via a web browser to conduct various activities, including to view or modify the content of databases (including patient data), or install malware on the server hosting OpenClinic GA, which can allow the attacker to move deeper into the targeted organization’s network.
“One example: a defect in a way the application checked passwords during login (CVE-2020-14494) allowed any user’s account, no matter how complex their password was, to be brute-forced after only a few thousand attempts — a few hundred in many cases. This should have been mitigated by the account lock-out initiated after a number of failed login attempts, but another vulnerability (CVE-2020-14484) meant that an attacker could use a formula hard-coded in the application to generate the ‘unlock code’ for the account,” Hysell said.
“Once logged in to the application, an attacker could try to access a page in the administration panel that accepted arbitrary SQL database queries. This page is supposed to be accessible only to administrators, but a missing authorization check (CVE-2020-14486) meant that an attacker could still use it even if the account he or she had brute-forced was not an administrator. And along with running regular database queries, this form could be used to run a query that would write a web shell to the server (CVE-2020-14493), allowing the attacker to run OS commands or install malware on the server.
“Other bugs (CVE-2020-14485) in the application’s session management allowed attackers to bypass login entirely; they could only access certain portions of the application, but crucially, those included that same SQL query panel,” he added.
The researcher says it might be possible to exploit some of the vulnerabilities directly from the internet if an organization has configured the application to be remotely accessible.
“I am aware of a couple of internet-exposed instances, but OpenClinic GA’s default configuration doesn’t lend itself to ‘passively’ identifying instances in databases like Shodan. An attacker could actively seek them out with an application-layer network scanner like ZGrab, but I haven’t done so,” he explained.