CVE-2023-43208 Detection: NextGen’s Mirth Connect RCE Vulnerability Exposes Healthcare Data to Risks

[post-views]
October 31, 2023 · 3 min read
CVE-2023-43208 Detection: NextGen’s Mirth Connect RCE Vulnerability Exposes Healthcare Data to Risks

Vulnerabilities affecting popular software expose thousands of organizations in diverse industry sectors to severe threats. October has been rich in uncovering critical security flaws in widely used software products, like CVE-2023-4966, a hazardous Citrix NetScaler vulnerability, and CVE-2023-20198 zero-day affecting Cisco IOS XE. In the last decade of October 2023, defenders warned the global community of another critical vulnerability impacting Mirth Connect, the open-source integration engine leveraged by thousands of healthcare providers. The unveiled security bug exposes sensitive healthcare data to the risks of compromise.

Detect CVE-2023-43208

To streamline threat investigation and help security professionals detect potential CVE-2023-43208 exploitation attempts, SOC Prime Platform for collective cyber defense offers a curated detection rule compatible with 28 SIEM, EDR, XDR, and Data Lake native formats as well as Sigma. The rule is mapped to MITRE ATT&CK framework addressing Privilege Escalation tactics, with Exploitation for Privilege Escalation (T1068) as a main technique.

Possible CVE-2023-43208 (NextGen Mirth Connect Remote Code Execution Vulnerability) Exploitation Attempt (via process_creation)

To browse the entire collection of Sigma rules aimed at trending CVE detection and dive into relevant threat intelligence, click the Explore Detections button below.

Explore Detections

CVE-2023-43208 Analysis

Healthcare providers that rely on NextGen HealthCare’s open-source data integration cross-platform Mirth Connect solution are strongly recommended to instantly update the software to the latest version as a result of an instant disclosure of a novel RCE vulnerability tracked as CVE-2023-43208.

All Mirth Connect instances before version 4.4.1 are considered vulnerable to the revealed security bug. The vulnerability is a result of an incomplete patch of an earlier discovered RCE vulnerability impacting Mirth Connect v4.3.0 known as CVE-2023-37679 with a CVSS score of 9.8.

CVE-2023-43208 can be exploited by adversaries to gain initial access to the system, further leading to the compromise of critical healthcare data. On Windows systems, where Mirth Connect appears to be most commonly deployed and runs with the System privileges, CVE-2023-43208 can be weaponized by executing the ping command on a Windows host, as states the Horizon3.ai research. Although the exploit for CVE-2023-43208 is currently not publicly available, the exploitation methods based on Java XStream are widely recognized and well-documented. Cybersecurity researchers have refrained from sharing additional technical insights into the security bug due to the fact that even earlier Mirth Connect versions of 2015 and 2016 seem to be also at risk of compromise.

Due to the widespread knowledge of CVE-2023-43208 exploitation methods, it is strongly advised to update Mirth Connect to version 4.4.1 to minimize the risks, as well as proactively detect exploitation attempts. Stay ahead of any offensive campaigns with access to the latest detection algorithms from the Threat Detection Marketplace against CVEs, zero-days, and any emerging attacks of any scale.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts