OpenEMR Security


(Brady Miller) #1

Hi,

There have been recent articles about security vulnerabilities in OpenEMR.

Here is the original report of the vulnerabilties:

Here’s a nice complete article discussing many of the details:

And here are 2 other useful articles:


Here are some questions that journalists have asked us along with our replies:

Any comment from OpenEMR about the vulnerabilities?
The OpenEMR community is very thankful to Project Insecurity for their report, which led to an improvement in OpenEMR’s security. Responsible security vulnerability reporting is an invaluable asset for OpenEMR and all open source projects. The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication. A patch was promptly released and announced to the community. Additionally, all downstream packages and cloud offerings were patched.

Have all the problems cited in report indeed been patched?
The key vulnerability in this report is the Patient Portal Authentication Bypass, which essentially allows a bad actor to bypass authentication and gain access to OpenEMR (if the patient portal is turned on). All the other vulnerabilities require authentication.
The Patient Portal Authentication Bypass, Multiple instances of SQL Injection, Unrestricted File Upload, Remote Code Execution, and Arbitrary File Actions vulnerabilities were all fixed.
The Unauthenticated Information Disclosure and Unauthenticated Administrative Actions involve files that are removed after installation, so there was no fix needed.
The CSRF was not fixed and OpenEMR is working on a mechanism, which will require substantial code changes, to prevent this in the next OpenEMR version.

What should healthcare entities who use OpenEMR need to do to address the issues? Any suggestions for those organizations?
They just need to install most recent patch at https://www.open-emr.org/wiki/index.php/OpenEMR_Patches . New patches and security fixes are announced to the registration list in addition to OpenEMR’s online forum and social accounts (such as twitter, facebook, etc.). There is an online community at open-emr.org that can provide free support in addition to a group of vendors that can provide professional support.

I understand that OpenEMR is used to manage between 90 million and 110 million patient records worldwide. Is that figure accurate? What countries are the biggest users of OpenEMR?
That figure is only an estimate and taken from this article in 2012: http://www.openhealthnews.com/hotnews/openemr-continues-grow-popularity-and-use
OpenEMR is an open source software project and does not require registration. There is an optional registration which only collects email addresses, so the location of these OpenEMR users is not known.

Hopefully the above information helps to inform the community.
Conclusion and plan moving forward:
I’m planning to focus more on OpenEMR’s security. We are working on a CSRF mechanism now and are going through OpenEMR’s codebase to remove all lingering sql-injection and XSS vulnerabilities. See here for ongoing updates in plan:
https://www.open-emr.org/wiki/index.php/Codebase_Security

If anybody is interested in helping with this effort, just let me know.

Thanks,
-Brady