Headline
CVE-2023-43208: NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208)
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.
Summary
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. If you’re a user of Mirth Connect, you’ll want to upgrade to the latest patch release, 4.4.1, as of this writing.
Background
A few months ago, we came across an unauthenticated remote code execution vulnerability, CVE-2023-37679, affecting Mirth Connect that was reported by IHTeam. Mirth Connect is an interesting application for us at Horizon3.ai because a number of our clients are in the healthcare space and use this application. Healthcare companies are commonly targeted by ransomware threat actors, and this application has decent exposure on the Internet (about 1200+ unique hosts).
CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.
Impact
This is an easily exploitable, unauthenticated remote code execution vulnerability. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.
We are not releasing an exploit at this time, but the methods for exploitation (involving Java XStream) are well known and documented. We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable.
On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user. Here’s an example of exploiting this vulnerability to run the ping command on a Windows host:
Detection
The version of the Mirth Connect server can be determined as follows:
% curl -k -H ‘X-Requested-With: OpenAPI’ https://<server>:<port>/api/server/version
4.4.0
Any server reporting a version less than 4.4.1 is highly likely to be exploitable.
Remediation
We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.
Timeline
- Sept. 8, 2023: Horizon3.ai sends initial report to NextGen
- Sept. 8, 2023: NextGen acknowledges receipt
- Oct. 6, 2023: NextGen provides Horizon3.ai a test build for 4.4.1
- Oct. 13, 2023: Horizon3.ai completes testing/review of test build
- Oct. 17, 2023: NextGen releases 4.4.1
- Oct. 25, 2023: This post
We’d like to thank NextGen for the prompt handling of this vulnerability, and a hat tip to IHTeam for discovering the original issue.
References
- Mirth Connect on GitHub
- Mirth Connect 4.4.1 Release Notes
- CVE-2023-43208
- IHTeam Advisory for CVE-2023-37679
- CVE-2023-37679
Sign up for a free trial and quickly verify you’re not exploitable.
Start Your Free Trial
Related news
A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later, researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was patched in Mirth Connect version 4.4.1. This Metasploit module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.
Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code
Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.