Potential Unauthorized PHI Access Could Result from Vulnerabilities in OpenClinic Application

Four vulnerabilities were identified in the OpenClinic application, the most severe of which can allow unauthorized users to circumvent authentication and view protected health information (PHI).

Numerous private clinics, hospitals, and physician practices use OpenClinic, a health record management software program, for clinical, financial, and administrative tasks.

A researcher of BishopFox Labs found the four vulnerabilities in the software program which are still not yet corrected. The most serious vulnerability causes missing authentication, which can be taken advantage of by hackers to get access to any patient’s medical test data. Authenticated users of the program can post the patient’s examination results to the platform, which are stored in the /tests/ directory. When requesting files located in that directory, users don’t need authentication to view the display of test findings.

In order to obtain the test data, an unauthenticated user would have to guess the file names; however, the BishopFox researcher stated that medical test file names are usually predictable and may be obtained using the server log files. Attackers could remotely exploit the vulnerability (CVE-2020-28937), which has been given a high severity rating.

A researcher discovered an insecure file upload vulnerability (CVE-2020-28939) with a high severity rating that would permit users that have administrative or administrator user roles to upload malicious files. According to the researcher, users who have authorization to key in medical tests for patients could upload files without limiting the types of files that may be uploaded to the system. Hence, it would be possible to transfer web shells, which can be utilized for arbitrary code execution on the program server. A malicious actor that has an administrative or administrator user role may get sensitive data, escalate privileges, install malicious software, or acquire access to the internal network.

The third vulnerability (CVE-2020-28938) was assigned a rating of medium-severity. This cross-site scripting vulnerability permits software users to execute actions on behalf of other users. There are control measures included in the application to avert cross-site scripting; but, those controls can be averted. A low-privileged user could take advantage of the vulnerability if he can get an Administrator to click a malicious URL, which may be used to carry out a payload that creates a new Administrator account for the user with low privileges.

The fourth vulnerability is a path traversal vulnerability with a low-severity score. An attacker could exploit this flaw in a DoS attack affecting the upload function. The vulnerability makes it possible for an authenticated attacker to write files to the filesystem of the server.

Gerben Kleijn, the Senior Security Consultant at Bishop Fox, discovered the flaws. When the report was published, no version of OpenClinic is without the discovered vulnerabilities. Users are instructed to opt for other medical records management software.

These are not the first serious vulnerabilities to be identified in OpenClinic this year. In July, an alert was issued by CISA about 12 vulnerabilities in the software, 3 of which were rated critical and 2 high severity.