OpenEMR 0-day Incorrect Access Control Vulnerability (CVE-2022-25041)

OpenEMR is a web application software written using PHP programming to create a hospital information management system. When the software is downloaded through Github or SourceForge, the source code will be included, and you will be able to run the software on your server.

As a result of our research, we detected Incorrect Access Control vulnerability GET requests in /interface/billing/customize_log.php. On this page, there are payment logs that only the administrator should see. However, it has been observed that this page can also be accessed and logs viewed by unauthorized users. 

What is Incorrect Access Control Vulnerability?

An incorrect access control vulnerability refers to a security flaw that exists when specific user permissions are not properly implemented or set up. This can leave an organization's data and systems vulnerable to unauthorized access, manipulation, and destruction. Incorrect access control vulnerabilities can be exploited by malicious actors to gain unauthorized access to sensitive information and systems. As a result, it is important for organizations to properly vet and configure user permissions to mitigate the risk of these vulnerabilities.

How Did We Detect OpenEMR Hospital Information Management System Incorrect Access Control Vulnerability?

As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. One of the software we chose was the OpenEMR Hospital Information Management System web application, which serves hospitals. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:

We decided to manually examine the source codes of the application downloaded from SourceForge after seeing that it was concerned with automatic source code analysis tools that produced too many false positives.

As a result of our static and dynamic analyses on the source code, we detected Incorrect Access Control vulnerability GET requests on the "/interface/billing/customize_log.php" page.

Using the vulnerability has been observed that this page can be accessed and logs viewed by unauthorized users.

Finally, we applied to MITRE and got our CVE code.

How to prevent Incorrect Access Control Vulnerability?

There are many ways to prevent Incorrect Access Control Vulnerability. One way is to use role-based access control (RBAC), which gives each user a specific set of permissions that correspond to their job role. This limits the users' abilities to access only the data and resources they need to do their job, reducing the risk of unauthorized access. Another way to prevent this vulnerability is to use access control lists (ACLs) which specify the permissions for each user or group of users. This can be used in conjunction with RBAC to provide even more granular control over who has access to what data and resources. Finally, it is important to keep all systems and software up-to-date with the latest security patches, as many of these vulnerabilities are fixed with security updates.

Sources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25041
• https://www.open-emr.org/
• https://github.com/openemr/openemr