CVE-2023-22973 – This CVE describes a Local File Inclusion vulne... (How to Fix)

Q: How do I fix CVE-2023-22973?

1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 7.0.0 or later from the official website. 3. Follow the upgrade instructions at https://www.open-emr.org/wiki/index.php/Upgrading_OpenEMR. 4. Verify the patch is applied by checking the version.

Q: What is the severity of CVE-2023-22973?

CVE-2023-22973 has a CVSS score of 8.8 (HIGH). This CVE describes a Local File Inclusion vulnerability in OpenEMR's interface/forms/LBF/new.php file that allows authenticated remote attackers to execute arbitrary code by manipulating the formname parameter. It affects OpenEMR versions before 7.0.0. Healthcare organizations using vulnerable OpenEMR installations are at risk.

📋 TL;DR

This CVE describes a Local File Inclusion vulnerability in OpenEMR's interface/forms/LBF/new.php file that allows authenticated remote attackers to execute arbitrary code by manipulating the formname parameter. It affects OpenEMR versions before 7.0.0. Healthcare organizations using vulnerable OpenEMR installations are at risk.

💻 Affected Systems

Products:

OpenEMR

Versions: All versions < 7.0.0

Operating Systems: All platforms running OpenEMR

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access. The vulnerability exists in the default installation.

📦 What is this software?

Openemr by Open Emr

View all CVEs affecting Openemr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to patient data exfiltration, ransomware deployment, or complete healthcare system disruption.

🟠

Likely Case

Unauthorized access to sensitive patient health information (PHI), installation of backdoors, or lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, minimal user privileges, and proper monitoring catching exploitation attempts.

🌐 Internet-Facing: HIGH - OpenEMR instances exposed to the internet are directly accessible to attackers who can exploit this after obtaining credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires authenticated access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.0

Vendor Advisory: https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7.0.0_Patch_.2811.2F30.2F22.29

Restart Required: No

Instructions:

1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 7.0.0 or later from the official website. 3. Follow the upgrade instructions at https://www.open-emr.org/wiki/index.php/Upgrading_OpenEMR. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Restrict access to vulnerable file

all

Temporarily block or restrict access to the vulnerable interface/forms/LBF/new.php file

# For Apache: Add to .htaccess
<Files "new.php">
    Deny from all
</Files>
# For Nginx: Add to server block
location ~ /interface/forms/LBF/new\.php$ {
    deny all;
}

Implement WAF rules

all

Add web application firewall rules to detect and block LFI exploitation attempts

# Example ModSecurity rule
SecRule ARGS:formname "@rx \.\./" "id:1001,phase:2,deny,msg:'LFI attempt detected'"

🧯 If You Can't Patch

Implement strict network segmentation to isolate OpenEMR from critical systems
Enforce least privilege access controls and monitor all authenticated user activity

🔍 How to Verify

Check if Vulnerable:

Check if OpenEMR version is below 7.0.0 and examine the interface/forms/LBF/new.php file for the vulnerable code pattern.

Check Version:

Check the OpenEMR version in the admin interface or examine the version.php file: cat /path/to/openemr/version.php | grep '\$v_\|openemr_version'

Verify Fix Applied:

Verify OpenEMR version is 7.0.0 or higher and that the patch has been applied to the interface/forms/LBF/new.php file.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in interface/forms/LBF/new.php
Multiple failed authentication attempts followed by successful login and file inclusion attempts
Log entries showing directory traversal patterns (../) in formname parameter

Network Indicators:

Unusual outbound connections from OpenEMR server
Traffic patterns indicating data exfiltration

SIEM Query:

source="openemr_logs" AND ("new.php" AND ("../" OR "..\\" OR "%2e%2e%2f"))

📊 Metadata

CVE ID: CVE-2023-22973

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 22, 2023

Last Updated: November 21, 2024

🔗 References

https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7.0.0_Patch_.2811.2F30.2F22.29 Patch,Release Notes
https://www.sonarsource.com/blog/openemr-remote-code-execution-in-your-healthcare-system/ Exploit,Third Party Advisory
https://www.open-emr.org/wiki/index.php/OpenEMR_Patches#7.0.0_Patch_.2811.2F30.2F22.29 Patch,Release Notes
https://www.sonarsource.com/blog/openemr-remote-code-execution-in-your-healthcare-system/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22973, you might also want to check these: