Horizon3.ai Chief Architect Naveen Sunkavally has just released “Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE” (linked below), which includes a proof of concept exploiting the vulnerability.
Mirth Connect is considered the Swiss Army knife of healthcare integration engines, specifically designed for HL7 message integration. It provides the necessary tools for developing, testing, deploying, and monitoring interfaces, and supports data exchange and communications across various systems.
Sunkavally said: “In Oct. 2023, we released an advisory for CVE-2023-43208, a pre-authenticated remote code execution vulnerability affecting NextGen Mirth Connect. Mirth Connect is an open source data integration platform widely used by healthcare companies. This post dives into the technical details behind this vulnerability, which is ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads. If you’re a user of Mirth Connect and haven’t patched yet, we strongly encourage you to upgrade to the 4.4.1 patch release or later. This is an easily exploitable vulnerability that our own pentesting product, NodeZero, has exploited successfully against a number of healthcare organizations.
CVE-2023-37679: CVE-2023-43208 arises from an incomplete patch for CVE-2023-37679, also a pre-auth RCE, reported by IHTeam. CVE-2023-37679 was reportedly patched in Mirth Connect 4.4.0, which was released on Aug 2, 2023. In the release notes for 4.4.0, we found it odd that this vulnerability was reported to affect only Mirth Connect versions running Java 8.
Naveen added: “At the time of our advisory in October, there were ~1300 Internet-facing installs of Mirth Connect. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data. On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user.”
Links:
CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/ (includes proof of concept, dated January 12, 2024)
NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208): https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
Like this:
Like Loading...
Related
This entry was posted on January 13, 2024 at 10:55 am and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
POC Exploit Released On NextGen Mirth Connect Pre-Auth RCE Vulnerability
Horizon3.ai Chief Architect Naveen Sunkavally has just released “Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE” (linked below), which includes a proof of concept exploiting the vulnerability.
Mirth Connect is considered the Swiss Army knife of healthcare integration engines, specifically designed for HL7 message integration. It provides the necessary tools for developing, testing, deploying, and monitoring interfaces, and supports data exchange and communications across various systems.
Sunkavally said: “In Oct. 2023, we released an advisory for CVE-2023-43208, a pre-authenticated remote code execution vulnerability affecting NextGen Mirth Connect. Mirth Connect is an open source data integration platform widely used by healthcare companies. This post dives into the technical details behind this vulnerability, which is ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads. If you’re a user of Mirth Connect and haven’t patched yet, we strongly encourage you to upgrade to the 4.4.1 patch release or later. This is an easily exploitable vulnerability that our own pentesting product, NodeZero, has exploited successfully against a number of healthcare organizations.
CVE-2023-37679: CVE-2023-43208 arises from an incomplete patch for CVE-2023-37679, also a pre-auth RCE, reported by IHTeam. CVE-2023-37679 was reportedly patched in Mirth Connect 4.4.0, which was released on Aug 2, 2023. In the release notes for 4.4.0, we found it odd that this vulnerability was reported to affect only Mirth Connect versions running Java 8.
Naveen added: “At the time of our advisory in October, there were ~1300 Internet-facing installs of Mirth Connect. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data. On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user.”
Links:
CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/ (includes proof of concept, dated January 12, 2024)
NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208): https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
Share this:
Like this:
Related
This entry was posted on January 13, 2024 at 10:55 am and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.