been a while since credit card and social security numbers were enough to
supply the criminal market with stolen data. In the last few years there has
been a marked increase in the amount of healthcare data up for sale thanks to
some major data breaches and the notoriously poor security of smaller
While it may be improving, there
are still plenty of unpatched systems out there. Even worse, there are some providers using applications that are largely unsupported. A recent
announcement from researchers at Bishop Fox is proof of that.
An open source application called OpenClinic, used for health records
management, was found to have four major 0-day vulnerabilities. The most critical vulnerability is a missing
authentication check where a patient does not have to sign in to
view test results. This would allow an attacker to directly access patient
data with only the path to the file.
The other three
bugs require authentication. A cross-site scripting vulnerability allows an
attacker to “embed a malicious payload within a medical record’s address
field.” With administrator privileges an attacker could upload malicious
files to an endpoint on the server, allowing them to execute arbitrary code.
There is also
a path traversal vulnerability that allows files to be stored outside of
designated directories. All versions of OpenClinic are vulnerable to all four
bugs. The last update to the application was in 2016.
The Bishop Fox team attempted to contact the developers for OpenClinic
three times but received
no response. After
90 days (per their disclosure policy), they
published their findings. OpenClinic appears to no longer be supported and the
changelog suggests that releases were few and far between to begin with.
quick Google search suggests that there are few providers out there still using
the software in some capacity. The exposed records are old, but exposed
nonetheless. The best option for anyone still using the application is to find
an alternative as soon as possible.