Critical Vulnerabilities Identified in the OpenClinic GA Integrated Hospital Information Management System

OpenClinic GA recognized 12 vulnerabilities existing in its open-source integrated hospital information management system.

Various hospitals and clinics utilize OpenClinic GA for handling financial, admin, clinical, pharmacy, and laboratory workflows. The system is likewise employed for out-patient and in-patient management, medical billing, ward management, bed management, and other hospital operations duties.

The person who discovered the vulnerabilities was Brian D. Hysell. Three vulnerabilities were rated critical whereas 6 were rated high severity. An attacker taking advantage of the vulnerabilities will be able to elude authentication, acquire access to confidential data, view or alter database information, and execute malicious code remotely.

An attacker having a low level of skill will be able to take advantage of the vulnerabilities. A number of vulnerabilities could be remotely exploited. Certain vulnerabilities got public exploits. The CVSS v3 base codes of the vulnerabilities vary from 5.4 to 9.8.

The following vulnerabilities were seen in OpenClinic GA Versions 5.09.02 and 5.89.05b:

CVE-2020-14495 – Critical with CVSS v3 base rating of 9.8. Using third-party components having reached their end of life and having vulnerabilities might bring about remote arbitrary code execution.

CVE-2020-14487 – Critical with a CVSS v3 base rating of 9.4. An attacker could employ a secret default user account to sign in to the program and apply arbitrary commands, unless if an administrator specifically switched off the account.

CVE-2020-14485 – Critical with a CVSS v3 base rating of 9.4. The client-side access controls can be ignored to commence a session having limited functionality, which provides administrative capabilities to execute SQL commands.

CVE-2020-14493 – High Severity with a CVSS v3 base rating of 8.8. Low privileged end-users could employ SQL syntax to keep arbitrary files in the server and carry out arbitrary orders.

CVE-2020-14488 – High Severity with a CVSS-v3 base rating of 8.8. Due to insufficient verification of uploaded data files, a low privilege user may be able to upload and execute the system’s arbitrary files.

Learn more about the CISA medical advisory here.

OpenClinic GA is already aware of the vulnerabilities and took action to take care of the problem, nevertheless, there is no evidence yet that the vulnerabilities were fixed.

All healthcare companies employing the OpenClinic GA need to upgrade their software to the current version to minimize the likelihood of exploitation.

CISA recommends carrying out the concept of least privilege, decreasing control system devices/systems exposure to networks, and not allowing system access online. All systems should be protected by a firewall and must necessitate a VPN with remote access. VPNs should use the most recent version and implement the patches right away.