Bishop Fox Security Advisory related to LibreHealth EHR version 2.0.0

On March 12, 2020, we were notified by Bishop Fox about a slew of security vulnerabilities they found in LibreHealth EHR 2.0.0. A good number of these were high severity vulnerabilities that could have lead to the compromise of the entire server(s) potentially.

Internally, we discussed what the next action would be and decided on a plan as to how to get these fixed. Immediately after triaging, it was decided it was a good idea to spin down the demo server for LibreHealth EHR, and it remains in such a state until the fixes are finalized and confirmed to be fixed. We contracted the work of addressing these issues out to two of our former Outreachy interns, @maggie, and @elizabeth, both of whom got going before the contract was even generated. This was greatly appreciated as the time of the essence. Due to the pandemic, we were given a gracious 30-day extension to the industry standard of 90 days, to 120 days. The @lsc cannot begin to express our gratitude to these two ladies and to @KoniKodes who has advocated for them from the beginning and she is a huge asset to the community.

As of this writing, the fixes are almost finished, and we’ll cut a release soon and update Bishop Fox on the patch version. When a patch release is made, we strongly advise all users to update it to that version. In the meantime, please ensure that your system is not publicly accessible on the internet in any way.

We would like to thank Chris Davis and Bishop Fox for being accomodating and communicating these to us.

You can read Bishop Fox’s full report about their findings below.

1 Like

@r0bby Thanks. This is obviously very important

1 Like

Thank you @r0bby

@elizabeth and @maggie have been great at working on this project and keeping us in the loop regarding their updates and pull requests. I am so proud of both of them.

2 Likes

@r0bby @sunbiz

Do we have a date for when the demo might be available? There is a high school competition org (HOSA) that would like to use the demo for competitions. That also raises the question whether the demo can be used by a group. I know that others (Fatima) are looking for an operational EHR

Hey Dr. Hoyt,

Hope you are still healthy and remain untouched by this nasty virus going around.

The fixes need to be completed and validated before I’m comfortable putting it back online.

Once this is done, then I will put it back up, but I cannot put it back online right now as I’d like to be able to sleep. I did the coordination of the fixes and acted as the LibreHealth point of contact, but reached the limit of what I can do unfortunately.

@r0bby

I understand the issue but wondered if we had a timeline for completion so we can tell people when they can expect access

The ladies are prepping their final report, so soon =)

I’ll make announcement when it’s back up. Shouldn’t be more than a month or so, if even that.

@r0bby @fmerchant

FYI. Dr. Fatima Merchant has asked me to lecture on EHRs to her students on September 22nd. It would be great if we had the demo up and running so I could do a live demonstration

Should be back up by then. Fixes are complete, just waiting for end to end validation.

@r0bby @KoniKodes @sunbiz

With no LibreHealth demo I had to use OpenEMR today to lecture the University of Houston

I think @sunbiz was going to throw up an instance behind a VPN for you…not sure what’s up. I’d like to get our demo back up ASAP but need all the fixes merged, I’m not a PHP expert. But @mua_rachmannis doing some great work on finishing up @pri2si17’s prior GSoC work on migrating to laravel, that will eliminate a lot of the issues. I’m waiting for those to be merged, I don’t want to run the demo with vulnerabilities.