OpenClinic's Major Flaw Leads to Four 'High Risk' Zero-Day Vulnerabilities That Could Expose Patient Data

By

Security experts claimed that the OpenClinic application is currently suffering from major flaws. Bishop Fox Labs' researchers found four issues in the open-source health records management software.

Security Experts Discover Serious Vulnerabilities in OpenClinic Application; These Could Pose High PHI Risks
A participant looks at lines of code on a laptop on the first day of the 28th Chaos Communication Congress (28C3) - Behind Enemy Lines computer hacker conference on December 27, 2011 in Berlin, Germany. The Chaos Computer Club is Europe's biggest network of computer hackers and its annual congress draws up to 3,000 participants. https://www.gettyimages.com/detail/news-photo/participant-looks-at-lines-of-code-on-a-laptop-on-the-first-news-photo/136135707?adppopup=true

One of these could allow an attacker to breach patient protected health information. Bishop Fox Labs tried to contact OpenClinic's development team on several occasions after discovering the flaws.

After confirming that the vulnerabilities are serious, the security researchers immediately disclosed the vulnerabilities to the public on Dec. 1. According to Health IT Security's latest report, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency also announced 12 flaws in the medical platform. These include six rated with high severity and three ranked as critical issues.

OpenClinic's most severe flaw

The Daily Swig reported that Gerben Kleijn, a senior security consultant at Bishop Fox, advised the users to look for alternative healthcare software packages. Kleijn is also the one who discovered the most dangerous flaw in the platform.

Security Experts Discover Serious Vulnerabilities in OpenClinic Application; These Could Pose High PHI Risks
A particpant checks a circuit board next to an oscilloscope on the first day of the 28th Chaos Communication Congress (28C3) - Behind Enemy Lines computer hacker conference on December 27, 2011 in Berlin, Germany. The Chaos Computer Club is Europe's biggest network of computer hackers and its annual congress draws up to 3,000 participants. Photo by Adam Berry/Getty Images

This one is a high severity missing authentication check on requests issued to the medical test endpoint. Because of its severity, it can allow hackers to successfully request files containing sensitive documents and user data from the medical test directory.

This flaw could lead to a potential mechanism that could access patients' test results in the process.

OpenClinic's file upload flaw

Another flaw was also found in the medical platform. This one is an insecure file upload vulnerability. This issue could allow authenticated attackers to achieve remote code execution (RCE) on the application server. Once they created the RCE, they can now access sensitive information, install malicious malware, and escalate privileges.

As of the moment, OpenClinic hasn't released any update yet if they are patching the newly discovered flaws. Different hackers can take advantage of the flaw by uploading malicious files to the "/openclinic/medical/test_new.php" endpoint. This one does not restrict the types of file that can be installed. The researchers also tried also tried this flaw and successfully sent a file containing a simple PHP web shell.

For more news updates about security vulnerabilities in other platforms or apps, always keep your tabs open here at TechTimes.

This article is owned by TechTimes.

Written by: Giuliano de Leon.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Most Popular
Real Time Analytics