DHS CISA Alerts to OpenClinic GA Hospital Management System Flaws
Vulnerabilities found in the OpenClinic GA integrated hospital information management system have prompted a medical advisory from DHS CISA ICS-CERT, urging a system upgrade.
By - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued an ICS-CERT medical advisory for 12 critical and serious vulnerabilities found in the OpenClinic GA integrated hospital information management system.
A number of hospitals and clinics leverage the open source platform to manage lab and pharmacy workflows, as well as administrative, clinical, and financial management, and a host of other in-patient and out-patient tasks. The flaws were found and reported to CISA by security researcher Brian D. Hysell.
Three of the disclosed vulnerabilities found in OpenClinic GA versions 5.09.02 and 5.89.05b have been ranked critical and six are ranked high severity. According to the alert, a hacker could remotely exploit the flaw with low skill levels. Public exploits are already available.
“Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view or manipulate restricted database information, and or execute malicious code,” CISA explained.
To start, the critical CWE-288 flaw would allow an attacker to bypass client-side access controls or leveraged a crafted request to start a session with limited functionality, which could execute a host of admin functions, including SQL queries.
The CWE-307 flaw could let a hacker bypass the system’s account lockout protection, enabling brute-force password cyberattacks. The alert also showed that an authentication mechanism within the platform does not have sufficient complexity to fend off brute-force attacks.
As a result, unauthorized users could access the system without a fixed number of maximum attempts.
Further, the platform fails to properly check permissions before SQL queries are executed, giving a low-privilege user access to privileged data. A low-privilege user could also use SQL syntax to write arbitrary files to the server, giving an attack the ability to execute arbitrary commands.
“The system does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system,” according to the alert. “The system includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files.”
“An attacker may bypass permission/authorization checks by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands,” it continued. “The system does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser.”
Meanwhile, the platform uses third-party software versions operating on end-of-life support, which contain known vulnerabilities, thus able to allow remote code execution.
Lastly, the system stores passwords with inadequate hashing complexity, which would allow an attacker to recover passwords using known password cracking techniques. And the system contains a hidden default user account that could be accessed if the admin has failed to turn it off, allowing a hacker to login to execute arbitrary commands.
OpenClinic GA is aware of the flaws but did not provide the agency with confirmation that they have resolved these issues. DHS CISA is urging all healthcare and public health agencies to upgrade to the latest software version to ensure all current fixes are applied.
First, organizations will need to perform a proper impact analysis and risk assessment before launching any defensive measure.
Organizations must employ a policy of least-privilege user principles and minimize network exposure for all control system devices and or systems, ensuring vulnerable devices are not internet-accessible. Administrators should locate control system networks and remote devices behind firewalls, then isolate those devices from the enterprise network.
Secure methods, such as Virtual Private Networks (VPNs), should be leveraged when remote access is required. However, VPNs also have some known vulnerabilities that should first be updated to ensure fixes are applied. VPNS are only as secure as the connected devices.
DHS CISA also recommended organizations review its recommended practices for control systems security to harden their defenses.
