CVE-2024-22611
📋 TL;DR
CVE-2024-22611 is a critical SQL injection vulnerability in OpenEMR that allows attackers to execute arbitrary SQL commands through pharmacy-related components. This affects OpenEMR 7.0.2 installations, potentially compromising patient data and system integrity. Healthcare organizations using vulnerable versions are at immediate risk.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to patient data theft, system takeover, ransomware deployment, and healthcare service disruption
Likely Case
Unauthorized access to sensitive patient records (PHI), data exfiltration, and potential privilege escalation
If Mitigated
Limited impact with proper input validation, WAF rules, and database permissions restricting damage to specific tables
🎯 Exploit Status
SQL injection via pharmacy-related endpoints; public GitHub repository contains research details and likely exploit code
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenEMR 7.0.2.1 or later
Vendor Advisory: https://www.open-emr.org/wiki/index.php/Security
Restart Required: No
Instructions:
1. Backup database and application files. 2. Download latest OpenEMR version from official repository. 3. Replace vulnerable files: Pharmacy.class.php, C_Pharmacy.class.php, controller.php. 4. Verify proper parameterized queries are implemented. 5. Test pharmacy functionality.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns targeting pharmacy endpoints
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,msg:'SQL Injection Attempt'"
# Add specific rules for /openemr/controller.php and pharmacy endpoints
Input Validation Filter
allImplement input validation middleware to sanitize pharmacy-related parameters
# PHP example: filter_input(INPUT_GET, 'param', FILTER_SANITIZE_STRING);
# Add validation to $_GET, $_POST, and $_REQUEST handling for pharmacy functions
🧯 If You Can't Patch
- Disable pharmacy module functionality if not required
- Implement strict database user permissions with read-only access where possible
🔍 How to Verify
Check if Vulnerable:
Check if OpenEMR version is 7.0.2 and examine Pharmacy.class.php, C_Pharmacy.class.php, and controller.php for lack of parameterized queriesCheck Version:
grep 'v\|version' /path/to/openemr/sqlconf.php or check OpenEMR interface footerVerify Fix Applied:
Verify updated files use prepared statements with bound parameters; test pharmacy functionality with SQL injection test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by pharmacy module access
- Long parameter values in web server logs containing SQL keywords
Network Indicators:
- HTTP requests to /openemr/controller.php with SQL syntax in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND (url="*controller.php*" OR url="*pharmacy*") AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*" OR param="*DELETE*")