Yuri Kramarz of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in OpenClinic’s GA web portal. OpenClinic GA
is an open-source, fully integrated hospital management solution. The web portal allows users to manage administrative, financial, clinical, lab, x-ray and pharmacy data for health care facilities. The software contains extensive statistical and reporting capabilities. OpenClinic GA contains several vulnerabilities that could allow an adversary to carrot out a wide range of malicious actions, including injecting SQL code into the targeted server or elevating their privileges.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenClinic to disclose these vulnerabilities and ensure that updates are available.

Vulnerability details

OpenClinic GA web portal SQL injection vulnerability in 'statistics/quickFile.jsp' page (TALOS-2020-1202/CVE-2020-27226)

An exploitable SQL injection vulnerability exists in 'quickFile.jsp' page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA unauthenticated command injection vulnerability (TALOS-2020-1203/CVE-2020-27227)

An exploitable unauthenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameters to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise of the underlying operating system.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA installation privilege escalation vulnerability (TALOS-2020-1204/CVE-2020-27228)

An incorrect default permissions vulnerability exists in the installation functionality of OpenClinic GA 5.173.3. Overwriting the binary can result in privilege escalation. An attacker can replace a file to exploit this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA web portal multiple SQL injection vulnerabilities in 'patientslist.do' page (TALOS-2020-1205/CVE-2020-27229 - CVE-2020-27231)

Multiple exploitable SQL injection vulnerabilities exist in the 'patientslist.do' page of OpenClinic GA 5.173.3 application. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA Web portal SQL injection vulnerability in 'manageServiceStocks.jsp' page (TALOS-2020-1206/CVE-2020-27232)

An exploitable SQL injection vulnerability exists in the 'manageServiceStocks.jsp' page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA web portal multiple SQL injection vulnerabilities in 'getAssets.jsp' page (TALOS-2020-1207/CVE-2020-27233 - CVE-2020-27241)

Multiple exploitable SQL injection vulnerabilities exist in the 'getAssets.jsp' page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

OpenClinic GA web portal multiple SQL injection vulnerabilities in 'listImmoLabels.jsp' page (TALOS-2020-1208/CVE-2020-27242 - CVE-2020-27246)

Multiple exploitable SQL injection vulnerabilities exist in the 'listImmoLabels.jsp' page of OpenClinic GA 5.173.3 application. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that these vulnerabilities affect OpenClinic GA, version 5.173.3.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 56475 - 56483, 56486 - 56489