Bangkok Medical Software HOSxP XE Hardcoded Encryption Key Vulnerability Allowing Data Decryption

A vulnerability exists in Bangkok Medical Software HOSxP XE version 4.64.11.3 due to a hardcoded encryption key and initialization vector (IV) in the HOSxPXE4.exe and HOS-WIN32.INI components. This flaw allows attackers to decrypt sensitive information, including privileged database credentials, potentially compromising the entire patient health database in affected deployments. The vulnerability arises from the use of a static key-IV pair with a predictable encryption algorithm, enabling unauthorized access to application secrets.

Impact

Exploitation of this vulnerability allows for decryption of the application's database credentials, leading to unauthorized access and manipulation of the patient health database.

Reproduction

The vulnerability can be reproduced by accessing the HOSxP application installed on a workstation. The hardcoded key and IV can be extracted from memory during the application's runtime, using a dynamic analysis tool. Once obtained, the key and IV can be used to decrypt the database password stored in the HOS-WIN32.INI file, which is accessible to the user.

Remediation

Bangkok Medical Software has released a security update to address this vulnerability. Users are advised to download the latest patch from the HOSxP Cloud Application Installer or contact Bangkok Medical Software for assistance.