Back to Main Navigation

PREDICT EXPLOITS

REDUCE COSTS

PREDICTION FOR THE CLOUD

ADVANCED CAPABILITIES

Back to Main Navigation

Resources

Predictive Threat Assessment Sign Up

Watch Now

PR1ORITY Product Demo
Back to Main Navigation

About CYR3CON

Come Join Us

CYR3CON is always looking for top talent to join our team.
View Openings
Back to Main Navigation

Take the next step to be in the know, now.

Complete the form and a member of the CYR3CON team will contact you shortly to discuss your cyber security needs.

Contact Form

Blog

LibreHealth Open Source Software Flaws

Posted by Paulo Shakarian on Jul 23, 2020 8:00:39 AM

Vulnerabilities in HealthcareLast week, on July 14, 2020, security researchers at BishopFox Labs (BFL) disclosed new vulnerabilities in the electronic health record (EHR) system LibreHealth EHR 2.0 that they had discovered in February.

The delay between discovery and public disclosure is normal; BFL worked privately to provide LibreHealth time to create necessary patches and they are nearing that goal. LibreHealth is not a software company, but rather a collaborative community of volunteers dedicated to free and open source software projects in Health IT.

A total of five vulnerabilities were discovered, all of which could compromise EHR 2.0 and expose patients’ sensitive health care records. The vulnerabilities consisted of:

CVE-2020-11436 – cross-site scripting (XSS) issue that would allow attackers to force actions on other user's behalf

CVE-2020-11437 – SQL injection issue that resulted in sensitive data disclosure

CVE-2020-11438 – cross-site request forgery (CSRF) issue

CVE-2020-11439 – local file inclusion (LFI) that could be leveraged to compromise the underlying application server

Multiple – previously disclosed, un-remediated vulnerabilities inherited from a vulnerable software base (OpenEMR)

As of this writing, the newly discovered vulnerabilities beginning with CVE-2020 are predicted by CYR3CON to be 9x more likely to be exploited than most ordinary, low-threat vulnerabilities. Less than 15% of vulnerabilities receive this level of prediction from our ML-driven analysis. This result is partly driven by the fact that common weaknesses like cross-site scripting (CWE-79) are of generally high interest to hackers.

Most of the older vulnerabilities associated with affected versions of OpenEMR carry CYR3CON’s highest prediction, and have for many months, being over 38x more likely to be exploited than average.

Discovering, analyzing, tracking, and remediating vulnerabilities, especially in open source software, can be difficult even for the largest, most highly skilled, and dedicated developers and cybersecurity teams. The sheer volume and disclosure rate of vulnerabilities simply overwhelms most shops.

If you’re interested in better understanding the challenges of DevSecOps with open source software, consider reading our report, Vulnerability Prioritization Through the Eyes of Hackers, compiled with our friends over at WhiteSource.

Or, drop in to our joint Webinar, July 28, 11AM EDT: Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes of Hackers, where Open Source Vulnerabilities will be a main topic of conversation.

 

Topics: Cybersecurity, Software Vulnerabilities