Last week, on July 14, 2020, security researchers at BishopFox Labs (BFL) disclosed new vulnerabilities in the electronic health record (EHR) system LibreHealth EHR 2.0 that they had discovered in February.
The delay between discovery and public disclosure is normal; BFL worked privately to provide LibreHealth time to create necessary patches and they are nearing that goal. LibreHealth is not a software company, but rather a collaborative community of volunteers dedicated to free and open source software projects in Health IT.
A total of five vulnerabilities were discovered, all of which could compromise EHR 2.0 and expose patients’ sensitive health care records. The vulnerabilities consisted of:
CVE-2020-11436 – cross-site scripting (XSS) issue that would allow attackers to force actions on other user's behalf
CVE-2020-11437 – SQL injection issue that resulted in sensitive data disclosure
CVE-2020-11438 – cross-site request forgery (CSRF) issue
CVE-2020-11439 – local file inclusion (LFI) that could be leveraged to compromise the underlying application server
Multiple – previously disclosed, un-remediated vulnerabilities inherited from a vulnerable software base (OpenEMR)
As of this writing, the newly discovered vulnerabilities beginning with CVE-2020 are predicted by CYR3CON to be 9x more likely to be exploited than most ordinary, low-threat vulnerabilities. Less than 15% of vulnerabilities receive this level of prediction from our ML-driven analysis. This result is partly driven by the fact that common weaknesses like cross-site scripting (CWE-79) are of generally high interest to hackers.
Most of the older vulnerabilities associated with affected versions of OpenEMR carry CYR3CON’s highest prediction, and have for many months, being over 38x more likely to be exploited than average.
Discovering, analyzing, tracking, and remediating vulnerabilities, especially in open source software, can be difficult even for the largest, most highly skilled, and dedicated developers and cybersecurity teams. The sheer volume and disclosure rate of vulnerabilities simply overwhelms most shops.
If you’re interested in better understanding the challenges of DevSecOps with open source software, consider reading our report, Vulnerability Prioritization Through the Eyes of Hackers, compiled with our friends over at WhiteSource.
Or, drop in to our joint Webinar, July 28, 11AM EDT: Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes of Hackers, where Open Source Vulnerabilities will be a main topic of conversation.