The goal of ethical hacking is to search. Search for vulnerabilities and weaknesses in computer systems, just as a cybercriminal would do, to identify and fix security flaws and strengthen them against possible attacks. In line with this approach, the team at Sofistic, Cuatroochenta's cybersecurity unit, recently discovered and reported five security breaches in a popular open-source medical practice management system. Specifically, they found vulnerabilities in the OpenEMR system, which is used by more than 100,000 healthcare providers worldwide and serves over 200 million patients, according to its administrators.
This finding is part of a broader investigation being conducted by the company to assess the security maturity of open-source medical management systems. As part of this investigation, approximately twenty open-source healthcare management software solutions have been analyzed, it is important to note that the healthcare sector has been a frequent target of cybercriminals in recent years due to the large amount of sensitive information that hospitals, healthcare centers, and pharmaceutical companies handle. These attacks have had a significant impact on healthcare activity. For instance, the Hospital Clínic in Barcelona, the drug distributor Alliance Healthcare, and the Colombian pharmacy chain Audifarma have all experienced cyber-attacks in the past.
Chronology of the procedure:
1 · Investigate
2 · Report the vulnerability
3 · Contact the vendor or seller
4 · Remediate the vulnerability
5 · Release a new version with the necessary corrections
6 . Publish the bug report and assign a CVE
It involves applying a security audit process from the attacker's perspective to uncover flaws.
Applying specific skills and knowledge, Sofistic's team of ethical hackers broke into the OpenEMR system, which is certified by the U.S. National Coordinating Office for Healthcare (ONC). During the pentest detected five security breaches were detected, four of which were of high severity. Afterwards, the administrators were contacted and given time to repair the identified security vulnerabilities and update the system. Following standard procedures, once the necessary patches had been applied, the resolution was verified and each bug was assigned a Common Vulnerabilities and Exposures (CVE), code to enable global identification. Finally, the vulnerabilities were published in the public repository of computer security information the National Vunerability Database (NVD) of the United States, and in the vulnerability registry of the Spanish National Institute of Cybersecurity (INCIBE).
The five vulnerabilities detected
1 · Validation failure in the document upload form
The Sofistic team discovered that the name field of the document upload form allowed for the entry of all types of characters. This could allow cybercriminals to include a malicious record that could render the form unusable, affecting the operation of the website. This vulnerability was similar toa denial of service (DDoS) attack because it could make the form inaccessible until the record was removed from the program's database.
2 · Security problem in the message module
The same vulnerability that occurred in the payment module was found in the program's messaging system. Specifically, several parameters that allowed this malicious code, which could modify the behavior of the user’s browser and steal their personal data.
3 · File upload validation error
The file upload functionality did not properly validate the file attribute, allowing any authenticated user to bypass this security check and upload any type of file. An authenticated attacker could use this vulnerability to upload potentially malicious files to the domain, such as phishing HTML pages, malware to run in the browser, or even use the system as a repository of copyrighted content.
4 · Gaps in access controls to patient records
This is the most critical vulnerability discovered by Sofistic technicians, as it directly affects patients' clinical data. It was discovered that an authenticated user could directly access any document in the system by manipulating two parameters of the URL. This security flaw not only allowed access and consultation of documents containing tests and confidential clinical history, but also permitted unprivileged users to download , falsify and upload these files again.
5 · Insertion of malicious code through the payment management module
This is a cross-site scripting (XSS) flaw that allows attackers to inject malware and manipulate the browser of the user who is using the program, redirecting them to a malicious site. In this case, the script that manages the credit card payment did not properly validate and encode parameters, allowing users to include unparsed HTML code in the server's response. This enabled the HTML code to be displayed as if it were part of the page’s code and to modify the behavior of the affected user's browser. Through this vulnerability, attackers could obtain users' credentials by loading phishing pages, tricking them into believing they were on the program's payment platform.
«Reporting these security breaches, we can help strengthen systems that handle sensitive information in the healthcare sector, which is one of the most threatened by cybercriminals due to the nature of the data they manage.»