Disclosed OpenClinic Flaws Pose Remote Code Execution, PHI Risk

December 02, 2020 - Researchers from Bishop Fox Labs discovered four vulnerabilities in the OpenClinic application, an open-source health records management software, which could allow an attacker to read patient protected health information, among other serious risks.

Bishop Fox first discovered these flaws in August and attempted to contact OpenClinic’s development team on several occasions, before publicly disclosing the vulnerabilities on December 1.

The report follows an alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency warning of 12 flaws in the platform, three of which were ranked critical and six rated high severity.

The open source platform is used by a number of clinics and hospitals to manage lab and pharmacy workflows, manage administrative, clinical, and financial needs, and a range of in-patient and out-patient tasks.

The four newly discovered vulnerabilities are found in the OpenClinic version 0.8.2.

READ MORE: DHS CISA Alerts to OpenClinic GA Hospital Management System Flaws

The most severe flaw poses a risk of PHI loss. Researchers explained that authenticated users could upload medical test documents, stored in the /tests/ directory, which did not require the user to be authenticated to the application.

The report showed it was possible for any unauthenticated user to obtain PHI from arbitrary patients. Researchers were able to send a request and receive a response, without the need for authentication to access the requested information associated with the medical test.

An attacker would need to either know the name of the patient of the files stored in the /test/ directory, or guess it, in order to exploit the flaw. But the researchers stressed that medical test filenames are commonly predictable, while valid filenames could also be found in the server’s log files or networking infrastructure.

Bishop Fox also found the application has an insecure file upload flaw, which allows users with an administrative or administer user role to upload malicious files, including PHP web shells. In doing so, an attacker could gain remote code execution on the application server.

“Note that the Administrative and Administrator roles are different: An Administrative user can make changes to patient medical records but is not an application admin,” researchers noted.

READ MORE: DHS CISA: Fortinet VPN Vulnerability Poses Password Exposure Risk

For administrative users able to enter medical tests, the endpoint did not restrict the types of files allowed to be uploaded into the OpenClinic application, and thus, it’s possible to upload a file containing a PHP webshell.

A successful exploit of this vulnerability would enable a threat actor to access sensitive data, escalate privileges, install malicious files, or use the server as a foothold onto the internal network.

Another flaw would allow an unauthenticated hacker to bypass XSS protections to embed a malicious payload. If an administrator clicked the payload, it would escalate privileges on the attacker’s accounts. The flaw would also allow users to force actions on behalf of other users.

However, “the XSS payload can be stored in the application by users with the Administrative or Administrator roles, but not by users with the Doctor role.” OpenClinic does have preventative measures that prevent XSS, but they were easily bypassed as “the prevention measures failed to account for all possible JavaScript that could be included with user input.”

“This payload did not get filtered out from user input and could be stored in several locations throughout the application, both in the admin section and in medical records,” researchers explained. “In a real attack scenario, an attacker could use this vulnerability to force actions on behalf of another user, assuming that the victim user clicks on the malicious link.”

READ MORE: Millions of Medical Images Exposed, as US Fails to Secure PACS Flaws

“To demonstrate impact, an XSS payload was embedded into a patient's medical record with the lower-privileged Administrative user role,” they added. “When clicked by an administrator, this payload created a new admin account under the attacker's control, thereby allowing them to escalate privileges.”

Notably, the payload does need to chain together several requests to find success.

The final vulnerability was a low-impact path traversal issue that impacts the function of file uploads and would give an authenticated threat actor the ability to store files outside of the designated directories on the application server, as well as enable an attacker to write arbitrary files to the server’s filesystem.

The flaw exists as the server’s webroot does not restrict the location to which files can be saved, rather it’s restricted based on permissions of the user’s account. However, the flaw does not allow existing files to be overwritten, which limits its impact.

“The most severe of the identified vulnerabilities was a missing authentication check on requests issued to the medical tests endpoint,” researchers explained. “Anyone with the full path to a valid medical test file could access this information, which could lead to loss of PHI for any medical records stored in the application.”

“At the time of this publication there is no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software,” they added.