HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multiple Flaws Identified in LabKey Server Community Edition

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser.

LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed.

CVE-2019-3911 – Reflected XSS

Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

CVE-2019-3912 – Open Redirects

Open redirects via returnURL are present throughout LabKey Server which could be manipulated to redirect users to a location under the control of the attacker. __r paths are the easiest to manipulate.

CVE-2019-3913 – Network Drive Mapping Logic Flaw

Improper sanitization of supplied values in the mount function allows a user to manipulate arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the vulnerabilities in a proof of concept exploit, which allows a user to supply any valid drive letter which will result in the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be required for this vulnerability to be exploited. This flaw could be exploited to map a malicious drive to the server.

Tenable Research disclosed the vulnerabilities to LabKey and patches were developed to correct the three flaws. Updates correcting each of the vulnerabilities were released on January 16, 2019.

To prevent the flaws from being exploited, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.