PHOENIX, Sept. 10, 2019 /PRNewswire/ — Bishop Fox, the largest private cybersecurity professional services firm focused on offensive security testing, has uncovered two vulnerabilities, one of which is high risk, in OpenEMR, which is a widely used medical records management tool. Bishop Fox researchers found the security issues in Version 5.0.1(6) of OpenEMR’s open source software, which contains millions of electronic patient records from around the world.

The high risk vulnerability is a remote code execution that allowed authenticated users to compromise the underlying server, allowing for arbitrary code to be executed on the applications server. A cross-site scripting vulnerability was also discovered, which allows hackers to execute arbitrary JavaScript that could be exploited by enticing an administrative user to click a maliciously crafted link that would grant server access to the attacker by chaining the cross-site scripting with the remote code execution.

The vulnerabilities were uncovered by Chris Davis, a senior security analyst at Bishop Fox.

«Due to the nature of the application, incredibly sensitive information was available as a result of these vulnerabilities – sensitive medical data, people’s names, social security numbers, physical addresses, dates of birth, etc.,» said Davis. «Exploitation could lead to a complete server compromise and once the server is compromised, it puts the attacker on the internal network. This changed the attack scope from external to internal, making it especially dangerous.»

Davis and Bishop Fox disclosed their findings to OpenEMR and the parties worked together to remediate the issues quickly. Additional technical information on how Bishop Fox found and exploited these vulnerabilities can be found here

About Bishop Fox
Bishop Fox is the largest private cybersecurity professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world’s leading organizations – working with over 25% of the top Fortune 100 companies – to help secure their products, applications, networks, and cloud with penetration testing and security assessments. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.

Amy Blumenthal


Cision View original content to download multimedia:

SOURCE Bishop Fox