Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA.

OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions.

Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code.

The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8.

The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b.

The most serious flaws include:

CVE-2020-14495 – The use of third-party components that have reached end of life and contain known vulnerabilities that could potentially lead to remote execution of arbitrary code – CVSS v3 – 9.8 – Critical

CVE-2020-14487 – Hidden default user account could be used by an attacker to login to the system and execute arbitrary commands, unless the account has been expressly turned off by an administrator – CVSS v3 – 9.4 – Critical

CVE-2020-14485 – Client-side access controls could be bypassed to initiate a session with limited functionality, which could allow admin functions to such as SQL commands to be executed – CVSS v3 9.4 – Critical

CVE-2020-14493 – Low privileged users could use SQL syntax to write arbitrary files to the server and execute arbitrary commands – CVSS v3 8.8 – High Severity

CVE-2020-14488 – A lack of verification of uploaded files could allow a low privilege user to upload and execute arbitrary files on the system – CVSS-v3 8.8 – High Severity

Further information on the vulnerabilities can be found in the CISA medical advisory.

OpenClinic GA has been made aware of the vulnerabilities and steps are being taken to correct the flaws, but no confirmation has been issued as to whether the flaws have been corrected.

All healthcare organizations that use OpenClinic GA have been advised to ensure that the software is updated to the latest version to reduce the risk of exploitation and to ensure the software is kept up to date.

CISA recommends applying the principle of least privilege, minimizing network exposure for control system devices/systems, and ensuring the system is not accessible over the internet. All systems should be located behind a firewall, and if remote access is required, access should require a VPN. VPNs should be updated to the latest version and patches applied promptly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.