OpenClinic GA has 12 vulnerabilities identified in its open-source integrated hospital information management system.
Numerous hospitals and clinics use OpenClinic GA for managing financial, administrative, clinical, laboratory and pharmacy workflows. It is also used for medical billing, bed management, ward management, out-patient and in-patient management, and some other hospital management tasks.
Brian D. Hysell found the vulnerabilities. Three vulnerabilities have a critical rating while 6 have a high severity rating. An attacker exploiting the vulnerabilities can evade authentication, obtain access to restricted data, see or change database data, and remotely implement malicious code.
An attacker with a low level of skill can exploit the vulnerabilities. Some vulnerabilities may be remotely exploited. Some vulnerabilities have public exploits. The vulnerabilities were given varying CVSS v3 base codes from 5.4 to 9.8.
The vulnerabilities found in OpenClinic GA Versions 5.89.05b and 5.09.02 include the following:
- CVE-2020-14495 has a CVSS v3 base rating of 9.8 or Critical. The usage of third-party parts that have attained the end of life and have identified vulnerabilities that can possibly result in the remote execution of arbitrary code.
- CVE-2020-14487 has a CVSS v3 base rating of 9.4 or Critical. An attacker can use a hidden default user account to login to the program and implement arbitrary commands, except when an administrator expressly turned off the account.
- CVE-2020-14485 has a CVSS v3 base rating of 9.4 or Critical. It is possible to bypass the client-side access controls to start a session with restricted functionality, which gives administrative functions to execute SQL commands.
- CVE-2020-14493 has a CVSS v3 base rating of 8.8 or High Severity. Low privileged users can utilize SQL syntax to create arbitrary files on the server and implement arbitrary commands.
- CVE-2020-14488 has a CVSS-v3 base rating of 8.8 or High Severity. Because of insufficient validation of uploaded files, a low privilege user can upload as well as execute arbitrary files on the system.
The CISA medical advisory has provided more information about the vulnerabilities.
OpenClinic GA already knows about the vulnerabilities and is taking steps to resolve the vulnerabilities, however, there is no confirmation yet if the vulnerabilities have been fixed.
All healthcare organizations using the OpenClinic GA are instructed to update the software to the most recent version to lessen the possibility of exploitation and to make sure the software is updated.
CISA advises implementing the principle of least privilege, reducing exposure of control system devices/systems to networks, and making the system inaccessible over the web. All systems ought to be placed behind a firewall, and must require a VPN in case of remote access. VPNs must use the newest version and patches should be applied immediately.