CISA has added a critical security flaw impacting NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2023-43208, has been actively exploited in the wild.
Mirth Connect is an open-source data integration platform extensively used in the healthcare industry to facilitate standardized data exchange between various systems. It handles over a billion transactions daily across thirty countries.
The vulnerability allows unauthenticated remote code execution and stems from an incomplete patch for another significant flaw, CVE-2023-37679, which carries a CVSS score of 9.8. Details of CVE-2023-43208 were first disclosed by Horizon3.ai in late October 2023, with additional technical information and a proof-of-concept exploit released in January 2024.
According to security researcher Naveen Sunkavally, CVE-2023-43208 is linked to the insecure use of the Java XStream library for unmarshalling XML payloads, making it easily exploitable.
CISA has not released details regarding the specific nature of the attacks exploiting this flaw or the entities responsible for weaponizing it. The timing of these exploitations also remains unclear. However, federal agencies are mandated to update to a patched version of the software, specifically Mirth Connect version 4.4.1 or later, by June 10, 2024.
The aforementioned Naveen Sunkavally, Chief Architect, Horizon3.ai had this to say:
“It’s not surprising that CVE-2023-43208 was added to the CISA KEV catalog. Back in April, Microsoft threat intelligence reported that CVE-2023-43208 was being exploited by China-based threat actor Storm-1175 for initial access. And there have been reports of exploitation prior to that.
“We work with a lot of healthcare companies. While Mirth Connect may not be a familiar name, the data we have backs up the fact that it is a widely adopted technology. Our data is what led us to research Mirth Connect for vulnerabilities in the first place last summer. Our own pentesting product, NodeZero, routinely exploits CVE-2023-43208 in client environments, both for initial access and lateral movement.
“The inclusion of CVE-2023-43208 in the CISA KEV catalog is a reminder that attackers are inherently opportunistic and will exploit anything that seems valuable – not just VPNs, Microsoft Exchange, and Confluence. We highly encourage companies to check for Mirth Connect in their environments and patch to the latest version.”
While patching all the things isn’t a guarantee that it will keep the bad guys from pwning you, it’s a great start as vulnerabilities that have patches available are low hanging fruit for threat actors.
Like this:
Like Loading...
Related
This entry was posted on May 22, 2024 at 8:35 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA Issues Urgent Warning Regarding Mirth Connect
CISA has added a critical security flaw impacting NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2023-43208, has been actively exploited in the wild.
Mirth Connect is an open-source data integration platform extensively used in the healthcare industry to facilitate standardized data exchange between various systems. It handles over a billion transactions daily across thirty countries.
The vulnerability allows unauthenticated remote code execution and stems from an incomplete patch for another significant flaw, CVE-2023-37679, which carries a CVSS score of 9.8. Details of CVE-2023-43208 were first disclosed by Horizon3.ai in late October 2023, with additional technical information and a proof-of-concept exploit released in January 2024.
According to security researcher Naveen Sunkavally, CVE-2023-43208 is linked to the insecure use of the Java XStream library for unmarshalling XML payloads, making it easily exploitable.
CISA has not released details regarding the specific nature of the attacks exploiting this flaw or the entities responsible for weaponizing it. The timing of these exploitations also remains unclear. However, federal agencies are mandated to update to a patched version of the software, specifically Mirth Connect version 4.4.1 or later, by June 10, 2024.
The aforementioned Naveen Sunkavally, Chief Architect, Horizon3.ai had this to say:
“It’s not surprising that CVE-2023-43208 was added to the CISA KEV catalog. Back in April, Microsoft threat intelligence reported that CVE-2023-43208 was being exploited by China-based threat actor Storm-1175 for initial access. And there have been reports of exploitation prior to that.
“We work with a lot of healthcare companies. While Mirth Connect may not be a familiar name, the data we have backs up the fact that it is a widely adopted technology. Our data is what led us to research Mirth Connect for vulnerabilities in the first place last summer. Our own pentesting product, NodeZero, routinely exploits CVE-2023-43208 in client environments, both for initial access and lateral movement.
“The inclusion of CVE-2023-43208 in the CISA KEV catalog is a reminder that attackers are inherently opportunistic and will exploit anything that seems valuable – not just VPNs, Microsoft Exchange, and Confluence. We highly encourage companies to check for Mirth Connect in their environments and patch to the latest version.”
While patching all the things isn’t a guarantee that it will keep the bad guys from pwning you, it’s a great start as vulnerabilities that have patches available are low hanging fruit for threat actors.
Share this:
Like this:
Related
This entry was posted on May 22, 2024 at 8:35 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.