That's it OpenClinic GA, a popular management system open source, used by hospitals, was found to contain 12 vulnerabilities, which can be exploited by malicious agents for access to sensitive information or to install malware on the hosting server.
As the description of OpenClinic GA says, it is an "integrated hospital information management system, covering the management of administration, finance, clinics, laboratories, x-rays, pharmacies, meal distribution and other data." It is one service used worldwide, with almost 120.000 downloads.
Ο Brian Hysell, her senior advisor Synopsys Software Integrity Group, discovered that the software contains twelve vulnerabilities, most of which are critical. If used by hackers, may result in bypassing account access and protection checks, obtaining sensitive information, uploading and executing arbitrary files and arbitrary code or commands.
Η CISA (Cybersecurity and Infrastructure Security Agency), published last week a announcement describing the security issues identified by Hysell.
According to the researcher, he stated his findings in August 2018. However, he did not manage to get in direct contact with the service's developer, who in March 2019 stated that most of the vulnerabilities had been corrected. However, we do not know exactly which of the vulnerabilities have finally been fixed.
According to Hysell, many of the vulnerabilities could be used together and allow one intruder having access to application through a browser, to perform various malicious activities, including viewing or modifying the contents of databases (including patient data) or installing malware on the server hosting OpenClinic GA.
"Other bugs (CVE-2020-14485) in application session management allow intruders to completely bypass the connection. So they could only access certain parts of the application, but unfortunately, these include the SQL query table, "the researcher added.
Hysell also points out that a malicious intruder could exploit some of the vulnerabilities even directly from the Internet, in case an organization has configured the application to allow remote access.