CVE-2021-32101 – CVE-2021-32101 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2021-32101?

CVE-2021-32101 has a CVSS score of 8.2 (HIGH). CVE-2021-32101 is an incorrect access control vulnerability in OpenEMR's Patient Portal that allows unauthenticated attackers to register accounts and bypass permission checks. This enables attackers to read and manipulate data of all registered patients. Healthcare organizations using OpenEMR 5.0.2.1 Patient Portal are affected.

📋 TL;DR

CVE-2021-32101 is an incorrect access control vulnerability in OpenEMR's Patient Portal that allows unauthenticated attackers to register accounts and bypass permission checks. This enables attackers to read and manipulate data of all registered patients. Healthcare organizations using OpenEMR 5.0.2.1 Patient Portal are affected.

💻 Affected Systems

Products:

OpenEMR

Versions: 5.0.2.1

Operating Systems: All platforms running OpenEMR

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the Patient Portal component. The vulnerability is in portal/patient/_machine_config.php file.

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all patient health records, including sensitive medical data, personal information, and potential manipulation of medical records leading to incorrect treatment.

🟠

Likely Case

Unauthorized access to patient health records, exposure of sensitive personal health information (PHI), and potential data manipulation affecting multiple patients.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect unauthorized access attempts.

🌐 Internet-Facing: HIGH - Patient portals are typically internet-facing, making them directly accessible to attackers without network perimeter controls.

🏢 Internal Only: MEDIUM - Even internally, unauthorized users could exploit this if they gain network access to the portal.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and involves simple API calls. Public technical details and proof-of-concept information are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenEMR 5.0.2 Patch 5

Vendor Advisory: https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431

Restart Required: Yes

Instructions:

1. Backup your OpenEMR installation and database. 2. Download OpenEMR 5.0.2 Patch 5 from the official repository. 3. Apply the patch following OpenEMR's patch application procedures. 4. Restart the web server and verify the fix.

🔧 Temporary Workarounds

Disable Patient Portal

linux

Temporarily disable the vulnerable Patient Portal component until patching can be completed.

# Remove or rename the portal directory
mv /path/to/openemr/portal /path/to/openemr/portal_disabled

Restrict Network Access

linux

Implement network access controls to limit Patient Portal access to authorized networks only.

# Example iptables rule to restrict access
# iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Patient Portal from untrusted networks
Deploy a web application firewall (WAF) with rules to detect and block unauthorized API calls to portal/patient/_machine_config.php

🔍 How to Verify

Check if Vulnerable:

Check if portal/patient/_machine_config.php exists and examine its access control logic. Test if unauthenticated users can register accounts and access patient data.

Check Version:

Check OpenEMR version in the interface or examine version.php file: cat /path/to/openemr/interface/globals.php | grep 'openemr_version'

Verify Fix Applied:

Verify that portal/patient/_machine_config.php has been updated in the patch. Test that unauthenticated users cannot bypass permission checks or access patient data.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful registration
Unauthorized API calls to portal/patient/_machine_config.php
Unusual data access patterns from newly registered accounts

Network Indicators:

Unusual traffic to Patient Portal registration endpoints
API calls to patient data endpoints from unauthenticated sources

SIEM Query:

source="openemr_logs" AND (uri="/portal/patient/_machine_config.php" OR message="unauthorized access" OR message="registration attempt")

📊 Metadata

CVE ID: CVE-2021-32101

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-732

Published: May 7, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability Third Party Advisory
https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 Vendor Advisory
https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 Third Party Advisory
https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal Third Party Advisory
https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability Third Party Advisory
https://community.open-emr.org/t/openemr-5-0-2-patch-5-has-been-released/15431 Vendor Advisory
https://community.sonarsource.com/t/openemr-5-0-2-1-command-injection-vulnerability-puts-health-records-at-risk/33592 Third Party Advisory
https://portswigger.net/daily-swig/healthcare-security-openemr-fixes-serious-flaws-that-lead-to-command-execution-in-patient-portal Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32101, you might also want to check these: