OpenClinic GA (Update B)

Act Now9.8ICS-CERT ICSMA-20-184-01Jul 2, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenClinic GA contains multiple authentication bypass, information disclosure, and arbitrary code execution vulnerabilities. Successful exploitation could allow an attacker to bypass authentication, discover restricted information, view or manipulate database contents, and execute malicious code. Affected versions are 5.09.02 and 5.89.05b.

What this means

What could happen

An attacker could bypass login controls to access OpenClinic GA, read or modify patient records and sensitive health data, or run arbitrary commands on the system hosting the application.

Who's at risk

Healthcare facilities and clinics using OpenClinic GA—a clinical management system for scheduling, patient records, and billing. Affects both legacy (5.09.02) and mid-range (5.89.05b) deployments. Impact extends to patient privacy, data integrity, and system availability.

How it could be exploited

An attacker on the network sends HTTP requests to OpenClinic GA without valid credentials. Due to authentication bypass vulnerabilities, the requests are accepted, allowing the attacker to directly access the web interface, query or modify the database, or upload files that execute malicious code on the server.

Prerequisites

Network access to OpenClinic GA web interface (typically HTTP/HTTPS port 80/443)
No valid user credentials required due to authentication bypass

remotely exploitableno authentication requiredlow complexityhigh EPSS score (92.7%)affects healthcare systems and patient datamultiple vulnerability types (authentication bypass, code execution, information disclosure)

Exploitability

High exploit probability (EPSS 92.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

:5.09.025.170.5

:5.89.05b5.170.5

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXUpgrade OpenClinic GA to version 5.170.5 or later

HARDENINGRestrict network access to OpenClinic GA to authorized staff only; do not expose the application to the Internet

HARDENINGPlace OpenClinic GA on a segmented network behind a firewall, separate from general business and Internet-facing systems

WORKAROUNDRequire authentication via VPN for all remote access to OpenClinic GA; ensure VPN software is kept current

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnforce least-privilege user accounts; audit and remove unnecessary user permissions

CVEs (11)

CVE-2020-14485 CVE-2020-14484 CVE-2020-14494 CVE-2020-14491 CVE-2020-14488 CVE-2020-14490 CVE-2020-14486 CVE-2020-14492 CVE-2014-0114 CVE-2016-1181 CVE-2016-1182

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/18c462cb-3725-4f34-b110-0160f1d7fbc7