Executive Summary

This vulnerability exists in OpenEMR versions prior to 8.0.0.3. An authenticated user who has access to the Carecoordination module can upload a specially crafted CCDA document containing an XML inclusion tag that references local files on the server, such as <xi:include href="file:///etc/passwd" parse="text"/>. This allows the attacker to read arbitrary files from the server.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an authenticated user to read arbitrary files on the server hosting OpenEMR. This can lead to exposure of sensitive system files or data, potentially compromising the confidentiality of the server environment and patient information stored on it.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenEMR to version 8.0.0.3 or later, as this version patches the issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user with access to the Carecoordination module in OpenEMR to read arbitrary files from the server by uploading a crafted CCDA document. Since OpenEMR is an electronic health records and medical practice management application, unauthorized access to server files could lead to exposure of sensitive patient data.

Such unauthorized data access can negatively impact compliance with regulations like GDPR and HIPAA, which require strict protection of personal and health information. The ability to read arbitrary files may result in breaches of confidentiality and data protection requirements mandated by these standards.

The issue is patched in version 8.0.0.3 of OpenEMR.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your OpenEMR installation is running a vulnerable version (prior to 8.0.0.3) and if the Carecoordination module is enabled. Since the exploit involves uploading a crafted CCDA XML document containing an <xi:include> element referencing local files, monitoring for such uploads or suspicious XML content in the Carecoordination module can help detect exploitation attempts.

To detect if the vulnerable code is present, you can inspect the source code file `src/Services/Cda/XmlExtended.php` for the presence of the `LIBXML_XINCLUDE` flag in the XMLReader initialization calls. For example, look for lines containing `LIBXML_XINCLUDE` in the methods `fromFile()` and `fromString()`.

Suggested commands to check for the vulnerable code in the OpenEMR installation directory:

• grep -r LIBXML_XINCLUDE src/Services/Cda/XmlExtended.php
• grep -r '<xi:include' /path/to/openemr/uploads/ccda/

Additionally, monitoring database tables such as `audit_details` for unexpected content that may include file contents can indicate exploitation.

If you have access to the OpenEMR Docker development environment or a test environment, you can attempt to reproduce the issue by uploading a crafted CCDA XML file containing an <xi:include> element referencing a local file (e.g., `/etc/passwd`) and then checking if the file content appears in the application or database.

Useful 0 Not Useful 0