CVE-2023-43208

Description

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.

Add Assessment

ccondon-r7 (286)

January 27, 2024 7:41pm UTC (9 months ago)

Ratings

Attacker Value

Medium

Technical Analysis

Knocking down attacker value a bit because there appear to be only a few hundred of these exposed and vulnerable, and perhaps surprisingly, it’s been a few months since full details were released and there’s still no known exploitation. Unclear how common the engine is in real-world environments from talking to offensive security folks focused on healthcare. I think it’s fair to balance rightful sensitivity about anything that could compromise healthcare systems with some skepticism about the particular target in this case. If we see IRL exploitation, I’m happy to eat those words :)

cbeek-r7 (181)

January 24, 2024 9:02am UTC (9 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-2023-43208 is a significant security vulnerability in NextGen Healthcare’s Mirth Connect, a widely used open-source data integration platform in the healthcare sector. This vulnerability, identified as an unauthenticated remote code execution (RCE) issue, was addressed in Mirth Connect version 4.4.1, released on October 6, 2023.

The vulnerability is especially critical because it stems from an incomplete patch of a previous vulnerability, CVE-2023-37679. This previous issue was a similar RCE vulnerability, supposedly patched in Mirth Connect version 4.4.0. However, CVE-2023-43208 emerged due to the inadequate resolution of CVE-2023-37679, making it a patch bypass issue.

The technical specifics of CVE-2023-43208 relate to the insecure use of the Java XStream library for unmarshalling XML payloads. The vulnerability affects versions of Mirth Connect before 4.4.1 and is particularly alarming due to the ease of exploitation. Attackers could exploit this vulnerability for initial access or to compromise sensitive healthcare data.

The CVSS (Common Vulnerability Scoring System) score for CVE-2023-43208 is 9.8, categorizing it as a critical vulnerability.

In terms of available proofs of concept (PoCs) for exploiting this vulnerability, a POC script was included in Horizon’s write-up of this vulnerability: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/

Given the severity and ease of exploitation of CVE-2023-43208, it is strongly recommended for organizations using Mirth Connect to update to version 4.4.1 or later to mitigate the risks associated with this vulnerability. The critical nature of this vulnerability, combined with the sensitive environments in which Mirth Connect is typically deployed, underscores the importance of prompt and thorough patching efforts.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

nextgen

Products

mirth connect

Metasploit Modules

exploit/multi/http/mirth_connect_cve_2023_43208 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mirth_connect_cve_2023_43208.rb)

Exploited in the Wild

Reported by:

cbeek-r7 indicated source as Threat Feed (https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/)

Reported: January 24, 2024 9:02am UTC (9 months ago)

nvn1729 indicated source as Other: Github discussion (https://github.com/nextgenhealthcare/connect/discussions/6124)

Reported: March 12, 2024 3:22am UTC (8 months ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: May 21, 2024 3:39pm UTC (6 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:21am UTC (2 weeks ago)

References

Canonical

CVE-2023-43208 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43208)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2023-43208-EXPLOIT (https://github.com/K3ysTr0K3R/CVE-2023-43208-EXPLOIT) (Added by AKB Worker)

Miscellaneous

https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/

http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html

Rapid7

High

High

Very High

None

None

Network

CVE-2023-43208

Description