{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openemr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2023-54347"}],"_cs_exploited":false,"_cs_products":["OpenEMR 7.0.1"],"_cs_severities":["medium"],"_cs_tags":["authentication","brute-force","openemr"],"_cs_type":"advisory","_cs_vendors":["OpenEMR"],"content_html":"\u003cp\u003eOpenEMR 7.0.1 is susceptible to an authentication brute force vulnerability (CVE-2023-54347) that allows attackers to bypass rate limiting protections. By sending repeated login attempts to the main login endpoint via POST requests, attackers can systematically test username and password combinations without triggering account lockout mechanisms. This vulnerability was reported in October 2023 and poses a significant risk to organizations using OpenEMR for managing sensitive patient data. Successful exploitation could lead to unauthorized access to protected health information (PHI) and other confidential data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OpenEMR 7.0.1 instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of HTTP POST requests targeting the main login endpoint, typically \u003ccode\u003e/interface/login/login.php\u003c/code\u003e or a similar path.\u003c/li\u003e\n\u003cli\u003eEach POST request includes the \u003ccode\u003eauthUser\u003c/code\u003e parameter containing a potential username and the \u003ccode\u003eclearPass\u003c/code\u003e parameter containing a password attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or tool to automate the process of sending numerous login attempts with different username and password combinations.\u003c/li\u003e\n\u003cli\u003eDue to the lack of effective rate limiting or account lockout, the attacker can attempt thousands of combinations without being blocked.\u003c/li\u003e\n\u003cli\u003eIf a valid username and password combination is found, the server responds with a successful authentication token or redirects the attacker to an authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the OpenEMR system, potentially accessing patient records, medical history, and other sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this brute force vulnerability can result in unauthorized access to sensitive patient data stored within OpenEMR. This could lead to breaches of confidentiality, violation of HIPAA regulations, and potential legal and financial repercussions for healthcare providers. The number of affected installations is currently unknown, but any organization using OpenEMR 7.0.1 is potentially at risk. A successful attack can compromise patient privacy, disrupt healthcare operations, and damage the reputation of the affected organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOpenEMR Brute Force Login Attempts\u003c/code\u003e to detect high volumes of login attempts originating from a single source IP address.\u003c/li\u003e\n\u003cli\u003eApply robust rate limiting to the OpenEMR login endpoint to mitigate brute force attacks.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies, including complexity requirements and regular password changes, to increase the difficulty of successful brute force attacks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of OpenEMR that addresses CVE-2023-54347 or apply the vendor-supplied patch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openemr-auth-brute-force/","summary":"OpenEMR version 7.0.1 is vulnerable to an authentication brute force attack where attackers can bypass rate limiting by sending repeated login attempts, leading to potential unauthorized access.","title":"OpenEMR Authentication Brute Force Vulnerability (CVE-2023-54347)","url":"https://feed.craftedsignal.io/briefs/2024-01-openemr-auth-brute-force/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenEMR","version":"https://jsonfeed.org/version/1.1"}