This disclosure describes R7-2019-09, composed of three vulnerabilities in the Basic Laboratory Information System (BLIS). Due to flawed authentication and authorization verification, versions of BLIS < 3.5 are vulnerable to unauthenticated password resets (R7-2019-09.1), and versions of BLIS < 3.51 are vulnerable to unauthenticated enumeration of facilities and usernames (R7-2019-09.2) as well as unauthenticated updates to user information (R7-2019-09.3).
These vulnerabilities are summarized in the table below along with current status, followed by exploitation information as well as potential impact and remediation actions users should take.
BLIS Product Description
The Basic Laboratory Information System (BLIS) is an open-source product that enables hospitals, laboratories, and other healthcare infrastructure to track patients, specimens, and laboratory results. BLIS is a joint initiative of Computing for Good (C4G) at the Georgia Institute of Technology, the Centers for Disease Control and Prevention (CDC), and the health ministries of several countries in Africa. More information on this software can be found on the C4G BLIS website.
Credit
These vulnerabilities were found by Rapid7 security researcher Jacob Robles. During disclosure to the vendor, Rapid7 learned that BLIS team member Aditi Shah discovered the vulnerabilities first. These vulnerabilities are being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Exploitation of R7-2019-09
The following sections describe the path followed by Rapid7 in finding these vulnerabilities. References are made to three Metasploit exploit modules. These were written during the research to verify ..
Support the originator by clicking the read the rest link below.
