Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data


Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.

OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.

Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).

“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns.

The first of the identified issues is described as an unauthenticated arbitrary file read and exists because the OpenEMR installer does not delete itself after the installation is completed.

Because the installation process is divided into several steps, an unauthenticated attacker could abuse a user-controlled parameter to perform some of these steps (but not a complete setup).

The attacker can invoke a function to read the current theme from the database, which results in a database connection being established using attacker-controlled properties.

A MySQL statement can be used to load the contents of a file to the database table, and a modifier can be supplied so that the file is read from the client instead of the server.

“A malicious server can request the content of another file, even in response to a totally different query from the client,” Sonar notes.

This allows an unauthenticated attacker to use a rogue MySQL server to read OpenEMR files such as backups, certificates, passwords, and tokens.

Sonar also discovered that an attacker could abuse a cross-site scripting (XSS) flaw to execute JavaScript code in the victim’s browser. The attacker can upload a PHP file and exploit a local file inclusion (LFI) to achieve RCE.

The XSS exists because, when requesting a PHP file, the browser first renders the HTML code, and only then the JavaScript context, which allows the attacker to use HTML entities within an event handler.

The LFI, Sonar explains, exists because a user-controlled variable is concatenated to a path and not sanitized, which allows an attacker to upload a PHP file and use a path traversal via the LFI to execute the file.

Sonar reported the security defects in October 2022. One month later, the vendor patched all bugs by adding sessions and CSRF checks and restricting the installation process, by encoding the character ‘&’ for an HTML entity to prevent the XSS, and by sanitizing the user-controlled parameter to prevent the LFI.

OpenEMR version 7.0.0 resolves all vulnerabilities. Users are advised to update their installations as soon as possible.

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Exploitation of Control Web Panel Vulnerability Starts After PoC Publication

The post Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data appeared first on SecurityWeek.

Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability


A researcher has disclosed the details of a two-factor authentication (2FA) vulnerability that earned him a $27,000 bug bounty from Facebook parent company Meta. 

Gtm Manoz of Nepal discovered in September 2022 that a system designed by Meta for confirming a phone number and email address did not have any rate-limiting protection.

A fix was rolled out by Meta in October 2022 and the company highlighted Manoz’s findings in its annual bug bounty program report. The tech giant has paid out more than $16 million through its program since 2011, with $2 million awarded in 2022.

In a blog post published earlier this month, Manoz said he discovered the vulnerability while analyzing a new Meta Accounts Center page in Instagram. Here, users can add an email address and phone number to their Instagram account and the Facebook account linked to their Instagram. In order to verify the email address and phone number, users have to enter a six-digit code received via email or SMS. 

The researcher’s analysis revealed that the system verifying the six-digit code did not have rate-limiting in place, which could have allowed an attacker to enter every possible code until they got the right one.

Specifically, a hacker would have needed to know the phone number assigned by the targeted user to their Instagram and Facebook account. By exploiting the vulnerability, the attacker could have obtained the six-digit verification code through a brute-force attack and assigned the victim’s phone number to an account they controlled.

This resulted in the phone number being removed from the victim’s Facebook and Instagram account and 2FA getting disabled due to security reasons — if a phone number is verified by another user, that user would be getting the SMS containing the 2FA code, and Meta is trying to prevent that. 

Manoz showed that Facebook users did receive a notification when their phone number was removed due to being verified by a different person. 

Based on the maximum potential impact of the vulnerability, Meta decided to pay out $27,200 for the researcher’s findings.

Related: Facebook Patches Vulnerability Exposing Page Admin Identity

Related: Twitter Finds No Evidence of Vulnerability Exploitation in Recent Data Leaks

Related: Facebook Pays Out $40,000 for Account Takeover Exploit Chain

The post Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability appeared first on SecurityWeek.

Critical Vulnerability Impacts Over 120 Lexmark Printers


Printer and imaging products manufacturer Lexmark this week published a security advisory to warn users of a critical vulnerability impacting over 120 printer models.

The issue, tracked as CVE-2023-23560 (CVSS score of 9.0), is described as a server-side request forgery (SSRF) flaw in the Web Services feature of newer Lexmark devices, which could be exploited to execute arbitrary code.

“Successful exploitation of this vulnerability can lead to an attacker being able to remotely execute arbitrary code on a device,” Lexmark warns in an advisory (PDF).

The manufacturer lists roughly 125 device models that are impacted by the security defect, including B, C, CS, CX, M, MB, MC, MS, MX, XC, and XM series printers.

The company has announced firmware updates that resolve the vulnerability on all impacted devices and encourages users to find update instructions on its support website.

Additionally, Lexmark says that exploitation of CVE-2023-23560 can be blocked by disabling the Web Services feature on the vulnerable printers (TCP port 65002).

To block TCP port 65002, users would have to go to Settings > Network/Ports > TCP/IP > TCP/IP Port Access, uncheck TCP 65002 ( WSD Print Service ), and then click Save.

Lexmark also warns that, while it is not aware of any malicious attacks targeting the vulnerability, proof-of-concept (PoC) code exploiting it has been made public.

Given that it is not unusual for threat actors to target unpatched printers and other Internet of Things (IoT) devices, users are advised to apply the available patches as soon as possible.

Related: Hundreds of Thousands of Konica Printers Vulnerable to Hacking via ​​Physical Access

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Related: Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers

The post Critical Vulnerability Impacts Over 120 Lexmark Printers appeared first on SecurityWeek.

BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws


The Internet Systems Consortium (ISC) this week announced patches for multiple high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

The addressed issues could be exploited remotely to cause named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – to crash, or could lead to the exhaustion of the available memory.

The first of the security defects, tracked as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause named to allocate large amounts of memory, resulting in a crash due to a lack of free memory.

According to ISC, because allocated memory is only retained for clients for which access credentials are accepted, the scope of the vulnerability is limited to trusted clients that are allowed to make dynamic zone changes.

For BIND 9.11 and earlier branches, the flaw can be exploited to exhaust internal resources, which results in performance issues, but not a crash.

Tracked as CVE-2022-3736, the second issue leads to a crash “when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query,” ISC explains. A remote attacker can trigger the bug by sending crafted queries to the resolver.

The third vulnerability, CVE-2022-3924, impacts the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. If the number of clients waiting for recursion to complete is high enough, a race may occur between providing a stale answer to the longest waiting client and sending an early timeout SERVFAIL, causing named to crash.

All three vulnerabilities were resolved with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9. ISC says it is not aware of any of these vulnerabilities being exploited, but encourages all users to update their BIND installations as soon as possible.

ISC also warns of CVE-2022-3488, a bug impacting all supported BIND preview edition versions (a special feature preview branch provided to eligible customers).

The issue can be triggered by sending two responses in quick succession from the same nameserver, both ECS pseudo-options, but with the first response broken, causing the resolver to reject the query response. When processing the second response, named crashes.

BIND preview edition version 9.16.37-S1 resolves all four security defects. Additional information on the addressed vulnerabilities can be found in the BIND 9 security vulnerability matrix.

Related: BIND Updates Patch High-Severity Vulnerabilities

Related: High-Severity Vulnerabilities Patched in BIND Server

Related: High-Severity DoS Vulnerability Patched in BIND DNS Software

The post BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws appeared first on SecurityWeek.

Microsoft Urges Customers to Patch Exchange Servers


Microsoft this week published a blog post to remind its customers of the continuous wave of attacks targeting Exchange servers and to urge them to install the latest available updates as soon as possible.

“Attackers looking to exploit unpatched Exchange servers are not going to go away,” Microsoft says, reminding customers that both a cumulative update (CU) and a security update (SU) are available for Exchange.

“There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts,” the company continues.

Attackers, the tech giant notes, are after not only the sensitive information that user mailboxes may contain. They are also looking to access the copy of the company address book stored on the Exchange server, which they can then use in social engineering attacks.

On top of that, Microsoft notes, “Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.”

Almost every set of Patch Tuesday updates coming out of Redmond includes security fixes for Exchange, some of which address already-exploited vulnerabilities, such as ProxyNotShell and ProxyShell. For other bugs, proof-of-concept (PoC) code was published shortly after patches were released.

“To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU),” Microsoft notes.

Because the CUs and SUs are cumulative, only the latest needs to be installed. However, Exchange customers are advised to check whether a security update has been released after they installed the latest CU, and install that as well.

The tech giant also notes that mitigations that it might automatically release for a vulnerability prior to pushing an SU are only meant to provide temporary protection and might not provide protection against all variations of an attack, meaning that customers should install the SU instead.

After installing an update, customers should also run Health Checker to verify if there are any manual tasks that need to be performed. The tool provides links to step-by-step guidance for the necessary actions.

To update an Exchange server, customers should start by reading the announcement about that update, follow the available guidance for CUs or SUs, inventory all servers using Health Checker, and use the Exchange Update Wizard, which offers a step-by-step guide to Exchange updates.

Windows Server and other software running on the Exchange server should also be updated, along with dependency servers that Exchange uses, such as Active Directory and DNS.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed

Related: Microsoft Adds On-Premises Exchange, SharePoint, Skype to Bug Bounty Program

The post Microsoft Urges Customers to Patch Exchange Servers appeared first on SecurityWeek.

Security Update for Chrome 109 Patches 6 Vulnerabilities


Google has awarded a total of more than $25,000 to the researchers who reported the vulnerabilities patched with the release of a Chrome 109 update.

The company informed users on Tuesday that six security holes have been patched in Chrome, including four reported by external researchers.

Two of them are high-severity use-after-free issues affecting the WebTransport and WebRTC components. Researchers Chichoo Kim and Cassidy Kim have been credited for reporting the flaws and they have earned a total of $19,000 for their findings.

These vulnerabilities are tracked as CVE-2023-0471 and CVE-2023-0472.

Use-after-free bugs affecting Chrome can typically be exploited for remote code execution and sandbox escapes, but in many cases they need to be chained with other flaws. 

The latest Chrome update also fixes a medium-severity type confusion issue that earned a researcher $7,500, and a medium-severity use-after-free for which the reward has yet to be determined. 

None of these vulnerabilities appears to have been exploited in the wild. According to Google’s own data, eight Chrome flaws were exploited in attacks in 2022. 

The tech giant admitted last year that an increasing number of Chrome vulnerabilities have been exploited by threat actors, and attempted to provide an explanation for this trend. 

Related: Google Releases Emergency Chrome 107 Update to Patch Actively Exploited Zero-Day

Related: Google Patches Fifth Exploited Chrome Zero-Day of 2022

Related: Chrome Flaw Exploited by Israeli Spyware Firm Also Impacts Edge, Safari

The post Security Update for Chrome 109 Patches 6 Vulnerabilities appeared first on SecurityWeek.

VMware Plugs Critical Code Execution Flaws


Virtualization technology giant VMware on Tuesday shipped its first security bulletin for 2023 with patches for multiple critical-level flaws that expose businesses to remote code execution attacks.

VMware said the security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.

VMware’s VRealize Log Insight is a log collection and analytics virtual appliance used by administrators to collect, view, manage and analyze syslog data.

The company said the most serious of the four documented flaws carry a CVSS severity score of 9.8 out of 10, adding to the urgency for organizations to apply available patches.

An advisory from the Palo Alto, Calif. company described the flaws — CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 –as directory traversal and broken access control issues with dangerous implications. 

“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware warned.

The company also shipped fixes for a separate deserialization vulnerability that exposes vRealize Log Insight users to denial-of-service attacks.  

VMware also patched an information disclosure issue that allowed attackers to remotely collect sensitive session and application information without authentication.   

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: Gaping Authentication Bypass Holes in VMware Workspace One

Related: VMware Confirms Workspace One Exploits in the Wild

The post VMware Plugs Critical Code Execution Flaws appeared first on SecurityWeek.

Apple Patches Exploited iOS Vulnerability in Old iPhones


Apple on Monday announced the release of iOS 12.5.7, which brings a patch for an actively exploited vulnerability to old iPhones and iPads.

The tech giant released security updates for iOS, macOS and other products on Monday to patch many vulnerabilities, including a couple of WebKit flaws that can lead to arbitrary code execution.

In addition to updates for the latest versions of its operating systems, Apple announced the release of iOS 12.5.7, which patches CVE-2022-42856, a WebKit vulnerability that has been exploited by hackers against devices running iOS prior to version 15.1.

The vulnerability, whose exploitation was first seen by Google’s Threat Analysis Group (TAG), can be used for arbitrary code execution through specially crafted web content. 

Apple rolled out its first round of patches for CVE-2022-42856 in December 2022, when it released iOS 16.1.2. The fix was also included at the time in macOS Ventura 13.1, tvOS 16.2, Safari 16.2, and iOS and iPadOS 15.7.2.

Security updates for iOS 12 are increasingly rare, but Apple still releases patches when it needs to protect customers against exploited flaws

There is still no public information on the attacks involving CVE-2022-42856, but Google’s TAG typically tracks exploits used by sophisticated state-sponsored threat actors or commercial spyware vendors.

According to data from Google, five of the iOS vulnerabilities discovered in 2022 were exploited in the wild. 

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Related: Apple: WebKit Bugs Exploited to Hack Older iPhones

Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch

The post Apple Patches Exploited iOS Vulnerability in Old iPhones appeared first on SecurityWeek.

Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones


A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.

Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).

The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).

“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.

Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.

What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.

As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.

Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.

Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.

After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.

Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates

Related: Google Migrating Android to Memory-Safe Programming Languages

Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data

The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.

Attacks Targeting Realtek SDK Vulnerability Ramping Up


Palo Alto Networks warns of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK.

Disclosed in August 2021, the vulnerability impacts hundreds of device types that rely on Realtek’s RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel.

The bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them.

The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time.

In a new report, Palo Alto Networks warns of an increase in attacks attempting to exploit the security defect.

“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” Palo Alto Networks says.

The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected.

A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open.

Looking at mid-to-large sized deployments, the researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each).

According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices.

To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition.

Most of the observed malicious payloads are Mirai, Gafgyt and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting early September 2022.

An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam with 17.8% and Russia at 14.6%.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited,” Palo Alto Networks concludes.

Related: Most Cacti Installations Unpatched Against Exploited Vulnerability

Related: Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

The post Attacks Targeting Realtek SDK Vulnerability Ramping Up appeared first on SecurityWeek.