Cherwell Portal Vulnerability

A code vulnerability has been discovered in the Cherwell Portal which, if exploited, allows standard portal users (Portal Customers) to view more than their own records.

Threat ID:: CC-1143
Category:
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 2 February 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A code vulnerability has been discovered in the Cherwell Portal which, if exploited, allows standard portal users (Portal Customers) to view more than their own records.

Threat details

The vulnerability is exploitable through a specific sequence of user interactions on the user interface of the portal.

When the vulnerability is exploited, a code error occurs which returns and lists records which the user (portal customer) may not be authorised to access.

Cherwell are working on a patch to fix this vulnerability. A manual fix is available (by portal permissions adjustment) which prevents unauthorised results being returned and listed to the logged in user when the code errors.

This vulnerability can lead to data breaches via unauthorised access. The severity of potential breaches is dependent upon your organisation’s use of the Cherwell Portal and the sensitivity of the data it stores and processes.

Remediation steps

Type	Step
	Adjust Security permissions on Cherwell Portal user account so the Cherwell portal can only return and list results which belong to the logged in user. From within the portal administration settings: Apply a “Limit Records Based On Criteria" expression against the Incident object (or the custom object your organisation uses) within the Customer Security Groups. Restart IIS (or equivalent). Please see the Cherwell 9.0 example provided below: Ensure all versions of Cherwell in use are in vendor support and receive security updates. Keep Cherwell fully patched with the latest security updates. Health and Care Organisations should contact CareCERT if they require further advice and guidance.

Type

Step

Adjust Security permissions on Cherwell Portal user account so the Cherwell portal can only return and list results which belong to the logged in user.
From within the portal administration settings:

Apply a “Limit Records Based On Criteria" expression against the Incident object (or the custom object your organisation uses) within the Customer Security Groups.
Restart IIS (or equivalent).
Please see the Cherwell 9.0 example provided below:

Ensure all versions of Cherwell in use are in vendor support and receive security updates.
Keep Cherwell fully patched with the latest security updates.
Health and Care Organisations should contact CareCERT if they require further advice and guidance.

Last edited: 17 February 2020 11:27 am