Millions of Health Records At Risk Due to Vulnerable OpenEMR Configurations

Researchers from security firm Risk Based Security have found that many installations of OpenEMR, a popular open-source electronic health records management application, contain the original setup script. This gaffe exposes the system to a complete compromise.

OpenEMR is used in thousands of physician offices and small healthcare facilities in the United States and around the world to support more than 90 million patients. It is a PHP-based web application that features fully integrated electronic health records and practice management, scheduling and electronic billing.

The Risk Based Security (RBS) researchers were looking at past vulnerabilities in OpenEMR—118 since 2006—when their attention stopped on an SQL injection flaw in the setup.php script reported in April. Vulnerabilities in installer scripts are not usually a big problem, as these scripts are supposed to be deleted after installation.

However, a closer inspection revealed that the setup script in OpenEMR was not being removed automatically. And the official documentation only advised users to “consider” removing or blocking access to it.

“We believe that this phrasing is far too vague to convince a customer to remove the setup scripts,” said Sven Krewitt, senior vulnerability researcher at Risk Based Security. “It also fails to properly warn about the risks of not doing so.”

An online scan confirmed this: Out of 188 publicly accessible OpenEMR installations found via Shodan and other search engines, 141 still had the setup script in place. And if many internet-exposed installations still have this script, it’s unlikely many administrators have removed it on internal deployments.

“While the sample size is small, we can make a decent assumption that a substantial percentage of the over 20,000 installations of OpenEMR are in a similar state,” the RBS researchers said in a blog post.

Unfortunately, the old SQL injection is not the only problem. Krewitt found another way to exploit the setup script to gain full control over the system and execute malicious PHP code on the web server. This takes advantage of a feature in the installer that enables administrators to set up multiple OpenEMR sites with the same install base.

“Exploitation does require directory permissions allowing the configuration of a new site, but our research shows that around 54 percent of the open installations we uncovered are vulnerable to this sort of attack,” the researchers said.

The problem was reported to the OpenEMR developers, who released a patch earlier this month and updated their documentation to recommend the removal of the setup.php script.

The RBS research also revealed that a majority of internet-accessible OpenEMR installations were located in the United States and were hosted on Amazon, Google and Microsoft cloud computing platforms, which further strengthens the belief that many cloud-hosted applications are not properly locked down.

“The potential impact to medical data is highly concerning to RBS,” the researchers said. “We were able to track down 78 of the 141 organizations that had an OpenEMR installation with the setup script accessible. However, finding the proper contact information proved difficult and time-consuming. It is a stark reminder of the importance of having an easy to find security contact email address on your website.”

The incident also highlights why it’s important for developers to provide secure default configurations and not expect users to lock down their installations. Another example is that of MongoDB, which until version 2.6.0 provided a configuration that accepted remote connections by default and left it to use to restrict access.

This insecure configuration has led to tens of thousands of databases, many with sensitive data, being left publicly accessible on the internet without any password. Many of those databases were hit by ransomware attacks earlier this year.

Featured eBook
Securing the Code: DevOps Security and AppSec

Securing the Code: DevOps Security and AppSec

DevSecOps represents a fundamental shift from the status quo by making security a much more collaborative effort. Applications are the business in this digital age. Securing the applications that drive your business is essential to providing safe digital experiences to your entire business ecosystem. With DevSecOps, security is automated and integrated into the development process. Security ... Read More
DevOps.com

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 265 posts and counting.See all posts by lucian-constantin

One thought on “Millions of Health Records At Risk Due to Vulnerable OpenEMR Configurations

  • December 2, 2017 at 5:42 pm
    Permalink

    OpenEMR is an open source project supported by a large community of volunteers, professionals, physicians, and contributors with the goal that all people, regardless of race, socioeconomic status or geographic location, have access to high-quality free electronic medical record software.

    The OpenEMR community takes security very seriously and the above vulnerability was fixed and the patch was announced within several days of initial contact by the security firm. Please see here for the complete OpenEMR Community Response to the recent burst of sensationalism journalism:
    http://www.open-emr.org/wiki/index.php/Critical_Security_Fix_for_OpenEMR_setup.php#OpenEMR_Community_Response

Comments are closed.