Researchers from security firm Risk Based Security have found that many installations of OpenEMR, a popular open-source electronic health records management application, contain the original setup script. This gaffe exposes the system to a complete compromise.
OpenEMR is used in thousands of physician offices and small healthcare facilities in the United States and around the world to support more than 90 million patients. It is a PHP-based web application that features fully integrated electronic health records and practice management, scheduling and electronic billing.
The Risk Based Security (RBS) researchers were looking at past vulnerabilities in OpenEMR—118 since 2006—when their attention stopped on an SQL injection flaw in the setup.php script reported in April. Vulnerabilities in installer scripts are not usually a big problem, as these scripts are supposed to be deleted after installation.
However, a closer inspection revealed that the setup script in OpenEMR was not being removed automatically. And the official documentation only advised users to “consider” removing or blocking access to it.
“We believe that this phrasing is far too vague to convince a customer to remove the setup scripts,” said Sven Krewitt, senior vulnerability researcher at Risk Based Security. “It also fails to properly warn about the risks of not doing so.”
An online scan confirmed this: Out of 188 publicly accessible OpenEMR installations found via Shodan and other search engines, 141 still had the setup script in place. And if many internet-exposed installations still have this script, it’s unlikely many administrators have removed it on internal deployments.
“While the sample size is small, we can make a decent assumption that a substantial percentage of the over 20,000 installations of OpenEMR are in a similar state,” the RBS researchers said in a blog post.
Unfortunately, the old SQL injection is not the only problem. Krewitt found another way to exploit the setup script to gain full control over the system and execute malicious PHP code on the web server. This takes advantage of a feature in the installer that enables administrators to set up multiple OpenEMR sites with the same install base.
“Exploitation does require directory permissions allowing the configuration of a new site, but our research shows that around 54 percent of the open installations we uncovered are vulnerable to this sort of attack,” the researchers said.
The problem was reported to the OpenEMR developers, who released a patch earlier this month and updated their documentation to recommend the removal of the setup.php script.
The RBS research also revealed that a majority of internet-accessible OpenEMR installations were located in the United States and were hosted on Amazon, Google and Microsoft cloud computing platforms, which further strengthens the belief that many cloud-hosted applications are not properly locked down.
“The potential impact to medical data is highly concerning to RBS,” the researchers said. “We were able to track down 78 of the 141 organizations that had an OpenEMR installation with the setup script accessible. However, finding the proper contact information proved difficult and time-consuming. It is a stark reminder of the importance of having an easy to find security contact email address on your website.”
The incident also highlights why it’s important for developers to provide secure default configurations and not expect users to lock down their installations. Another example is that of MongoDB, which until version 2.6.0 provided a configuration that accepted remote connections by default and left it to use to restrict access.
This insecure configuration has led to tens of thousands of databases, many with sensitive data, being left publicly accessible on the internet without any password. Many of those databases were hit by ransomware attacks earlier this year.