CVE-2023-43208 Detection: NextGen’s Mirth Connect RCE Vulnerability Exposes Healthcare Data to Risks
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
Vulnerabilities affecting popular software expose thousands of organizations in diverse industry sectors to severe threats. October has been rich in uncovering critical security flaws in widely used software products, like CVE-2023-4966, a hazardous Citrix NetScaler vulnerability, and CVE-2023-20198 zero-day affecting Cisco IOS XE. In the last decade of October 2023, defenders warned the global community of another critical vulnerability impacting Mirth Connect, the open-source integration engine leveraged by thousands of healthcare providers. The unveiled security bug exposes sensitive healthcare data to the risks of compromise.
Detect CVE-2023-43208
To streamline threat investigation and help security professionals detect potential CVE-2023-43208 exploitation attempts, SOC Prime Platform for collective cyber defense offers a curated detection rule compatible with 28 SIEM, EDR, XDR, and Data Lake native formats as well as Sigma. The rule is mapped to MITRE ATT&CK framework addressing Privilege Escalation tactics, with Exploitation for Privilege Escalation (T1068) as a main technique.
To browse the entire collection of Sigma rules aimed at trending CVE detection and dive into relevant threat intelligence, click the Explore Detections button below.
CVE-2023-43208 Analysis
Healthcare providers that rely on NextGen HealthCare’s open-source data integration cross-platform Mirth Connect solution are strongly recommended to instantly update the software to the latest version as a result of an instant disclosure of a novel RCE vulnerability tracked as CVE-2023-43208.
All Mirth Connect instances before version 4.4.1 are considered vulnerable to the revealed security bug. The vulnerability is a result of an incomplete patch of an earlier discovered RCE vulnerability impacting Mirth Connect v4.3.0 known as CVE-2023-37679 with a CVSS score of 9.8.
CVE-2023-43208 can be exploited by adversaries to gain initial access to the system, further leading to the compromise of critical healthcare data. On Windows systems, where Mirth Connect appears to be most commonly deployed and runs with the System privileges, CVE-2023-43208 can be weaponized by executing the ping command on a Windows host, as states the Horizon3.ai research. Although the exploit for CVE-2023-43208 is currently not publicly available, the exploitation methods based on Java XStream are widely recognized and well-documented. Cybersecurity researchers have refrained from sharing additional technical insights into the security bug due to the fact that even earlier Mirth Connect versions of 2015 and 2016 seem to be also at risk of compromise.
Due to the widespread knowledge of CVE-2023-43208 exploitation methods, it is strongly advised to update Mirth Connect to version 4.4.1 to minimize the risks, as well as proactively detect exploitation attempts. Stay ahead of any offensive campaigns with access to the latest detection algorithms from the Threat Detection Marketplace against CVEs, zero-days, and any emerging attacks of any scale.
