Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data


Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.

OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.

Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).

“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns.

The first of the identified issues is described as an unauthenticated arbitrary file read and exists because the OpenEMR installer does not delete itself after the installation is completed.

Because the installation process is divided into several steps, an unauthenticated attacker could abuse a user-controlled parameter to perform some of these steps (but not a complete setup).

The attacker can invoke a function to read the current theme from the database, which results in a database connection being established using attacker-controlled properties.

A MySQL statement can be used to load the contents of a file to the database table, and a modifier can be supplied so that the file is read from the client instead of the server.

“A malicious server can request the content of another file, even in response to a totally different query from the client,” Sonar notes.

This allows an unauthenticated attacker to use a rogue MySQL server to read OpenEMR files such as backups, certificates, passwords, and tokens.

Sonar also discovered that an attacker could abuse a cross-site scripting (XSS) flaw to execute JavaScript code in the victim’s browser. The attacker can upload a PHP file and exploit a local file inclusion (LFI) to achieve RCE.

The XSS exists because, when requesting a PHP file, the browser first renders the HTML code, and only then the JavaScript context, which allows the attacker to use HTML entities within an event handler.

The LFI, Sonar explains, exists because a user-controlled variable is concatenated to a path and not sanitized, which allows an attacker to upload a PHP file and use a path traversal via the LFI to execute the file.

Sonar reported the security defects in October 2022. One month later, the vendor patched all bugs by adding sessions and CSRF checks and restricting the installation process, by encoding the character ‘&’ for an HTML entity to prevent the XSS, and by sanitizing the user-controlled parameter to prevent the LFI.

OpenEMR version 7.0.0 resolves all vulnerabilities. Users are advised to update their installations as soon as possible.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Exploitation of Control Web Panel Vulnerability Starts After PoC Publication

The post Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data appeared first on SecurityWeek.

BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws


The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.

The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.

According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.

For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.

Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.

The third vulnerability, CVE-2022-3924, impacts the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. If the number of clients waiting for recursion to complete is high enough, a race may occur between providing a stale answer to the longest waiting client and sending an early timeout SERVFAIL, causing named to crash.

All three vulnerabilities were resolved with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9. ISC says it is not aware of any of these vulnerabilities being exploited, but encourages all users to update their BIND installations as soon as possible.

ISC also warns of CVE-2022-3488, a bug impacting all supported BIND preview edition versions (a special feature preview branch provided to eligible customers).

The issue can be triggered by sending two responses in quick succession from the same nameserver, both ECS pseudo-options, but with the first response broken, causing the resolver to reject the query response. When processing the second response, named crashes.

BIND preview edition version 9.16.37-S1 resolves all four security defects. Additional information on the addressed vulnerabilities can be found in the BIND 9 security vulnerability matrix.

Related: BIND Updates Patch High-Severity Vulnerabilities

Related: High-Severity Vulnerabilities Patched in BIND Server

Related: High-Severity DoS Vulnerability Patched in BIND DNS Software

The post BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws appeared first on SecurityWeek.

Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones


A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.

Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).

The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).

“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.

Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.

What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.

As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.

Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.

Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.

After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.

Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates

Related: Google Migrating Android to Memory-Safe Programming Languages

Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data

The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.

Attacks Targeting Realtek SDK Vulnerability Ramping Up


Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.

Disclosed in August 2021, the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.

The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.

In a new report, Palo Alto Networks warns of an increase in attacks attempting to exploit the security defect.

“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.

The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.

A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.

Looking at mid-to-large sized deployments, the researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).

According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.

To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.

Most of the observed malicious payloads are Mirai, Gafgyt and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting early September 2022.

An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam with 17.8% and Russia at 14.6%.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited,” Palo Alto Networks concludes.

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

The post Attacks Targeting Realtek SDK Vulnerability Ramping Up appeared first on SecurityWeek.

Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution


Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

An alternative app marketplace, the Galaxy Store comes pre-installed on Samsung’s Android devices and can be used alongside Google Play to download and install software.

Tracked as CVE-2023-21433, the first of the vulnerabilities that NCC Group has identified could allow rogue applications on a device to download and install additional software from the Galaxy Store, without the user’s knowledge.

The issue is described as an improper access control flaw, where the app store contained an exported activity that failed to safely handle incoming intents. The bug, NCC explains, only impacted devices running Android 12 and older.

The second vulnerability, CVE-2023-21434, is described as an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.

“It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” NCC Group explains.

The vulnerability can be exploited by tapping a malicious URL in Chrome or a pre-installed rogue application, which would bypass existing URL filtering.

The cybersecurity firm has published proof-of-concept (PoC) code for both these vulnerabilities.

The security defects were reported to Samsung in November and December 2022. Both issues were addressed in Galaxy Store version

Owners of Samsung devices running Android 12 or below are advised to update to the latest version of Galaxy Store as soon as possible.

Related: VMware Warns of Exploit for Recent NSX-V Vulnerability

Related: CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability

Related: Owl Labs Patches Severe Vulnerability in Video Conferencing Devices

The post Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution appeared first on SecurityWeek.