Pradeo's source code analysis and secure coding tool has enabled the discovery of a vulnerability in the code of a popular open source library. Freely available to download by the community, this interface module designed to leave comments contained a flaw that allowed privilege escalation.
The vulnerability was discovered by Hopinnov, a pioneer in the digitalization of hospital logistics and a user of Pradeo's application security solution. The startup built part of its application in open source, convinced by its advantages.
Privilege escalation: One vulnerable line of code is enough
The critical vulnerability was detected by Pradeo's application source code security analysis tool. Its detection allowed Sébastien Valentini, President and Co-Founder of Hopinnov, to report it to the people in charge of the module. They ensured its resolution in a few days, thanks to a corrective line of code.
As part of Hopinnov's POC & PICK solution, the commenting module affected by the flaw allows accessors to share their feedback on operating protocols: preparation of operating rooms, equipment used, room layout, patient set-up...
This vulnerability opened the door to privilege escalation, an exploitation that could have been problematic for the hospital's data. A cybercriminal could have retrieved administrator credentials and passwords and simply logged into the interface. This would have opened the possibility to modify the operating protocols and to retrieve all the information available in the application.
A complementary approach between audit and pentesting
Fortunately, before marketing its application, Hopinnov performed a penetration test by auditing its source code with Pradeo's solution, coupled with pentesting. This complementary approach allowed them to uncover this exploitable vulnerability and is now used on a regular basis to limit the risks.
After a reanalysis of Hopinnov's application by Pradeo's solution following the correction of the vulnerability, this one and by extension the open source comment module are now secured.
With Pradeo, Sébastien Valentini's company continuously ensures that the code of its application does not have any vulnerability. Indeed, the tool integrating health-specific analysis and offering a disruptive mechanism for detecting and remediating vulnerabilities according to secure programming practices, has enabled it to secure its code from the design stage.
Hospitals' staff can now comment on the logistical and preparatory aspects of an operating room, in complete security. The modification of the protocol is reserved to duly authorized persons, as well as access to certain key information.
"The security analysis of the application code carried out by Pradeo's tool enabled us to optimally integrate the cyber risk as early as possible, an essential element in a sector such as healthcare, which is frequently affected by cyber attacks and has critical stakes. Hopinnov's mission as a software editor is to simplify the work of hospital staff and we must ensure maximum and permanent security of our software". Affirms Sébastien Valentini President and Co-Founder of Hopinnov.
About Pradeo: Pradeo provides solutions to protect mobile devices and applications. Pradeo Security technology is recognized by Gartner, IDC, Forrester and Frost & Sullivan as one of the most advanced in the industry. It provides accurate threat detection, preventing information exfiltration from mobile devices and enforcing compliance with data protection laws.