OpenEMR Improper Certificate Validation Vulnerability in HTTP Client Allowing Man-in-the-Middle Attacks

A vulnerability exists in OpenEMR's HTTP client wrapper, 'oeHttp'/'oeHttpRequest', prior to version 7.0.4. The vulnerability arises because SSL/TLS certificate verification is disabled by default, leaving external HTTPS connections open to man-in-the-middle (MITM) attacks. This issue impacts communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI).

Impact

Exploitation of this vulnerability allows for improper certificate validation, enabling man-in-the-middle attacks where an attacker can intercept and modify communications. This could lead to unauthorized access to sensitive health information and disruption of medical services.

Reproduction

To reproduce this vulnerability, use OpenEMR versions prior to 7.0.4 and initiate an HTTP request to a server with an invalid SSL certificate. The request will be accepted, demonstrating that certificate verification is disabled. This vulnerability can also be exploited by injecting a malicious URL into the 'easipro_server' global variable, which will then be called by the application, allowing interception of PHI and OAuth credentials.

Remediation

Users should upgrade to OpenEMR version 7.0.4 or later, where this vulnerability has been patched. Instructions for upgrading can be found in the OpenEMR documentation.