Is NextGen interoperability tool vulnerable to RCE attack?

MITRE entered CVE-2023-43208 into the catalog of vulnerability exploits on Thursday and the National Institute of Standards and Technology says the flaw, which impacts certain versions of NextGen software and could result in remote code execution, is currently waiting for analysis.

Why it matters
“Instances of NextGen Healthcare Mirth Connect before version 4.4.1 are vulnerable to unauthenticated remote code execution Mirth Connect by NextGen Healthcare,” according to NIST.

This is the tool’s second CVE update in recent months. Designed to help hospitals and health systems centralize health data and communicate across disparate systems and locations, according to NextGen’s website.

When CVE-2023-37679 was discovered in June, NextGen released an update in beta and then released Version 4.4.0 in July. That threat, considered high-level, allowed attackers to execute arbitrary commands on hosting servers.

The newer vulnerability, CVE-2023-43208, is caused by the incomplete patch of CVE-2023-37679, according to MITRE.

“NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution,” MITRE said.

NIST refers visitors to the National Vulnerability Database to a Horizon3.ai analysis that indicates Mirth Connect versions going as far back as 2015/2016 are vulnerable – particularly the instances that are Internet-facing.

The larger trend
NextGen has been the target of cybercriminals more than once this year. In January, the BlackCat ransomware group posted an alleged sample of NextGen information on its extortion site.

“We immediately contained the threat, secured our network and have returned to normal operations,” NextGen said after the alleged ransomware attack.

Then in April, the electronic health records vendor notified affected patients that an unknown third party used stolen credentials and gained access to personal information between March 29 and April 14. By May, NextGen was sued in federal court for the data breach.

While the number of exploited healthcare IT vulnerabilities increased from 43 to 160 this year, according to an August report on healthcare software and firmware risks by the Health Information Sharing and Analysis Center with Securin and Finite State, RCE vulnerabilities are up 437%.

The Cybersecurity and Infrastructure Security Agency said that RCE vulnerabilities were some of the top vulnerabilities that cybercriminals exploited in 2022, affecting certain VMware products and Atlassian Confluence and Data Center.

CISA, as well as the Federal Bureau of Investigation, have also been raising alarm bells about these cybersecurity risks to medical devices. In certain instances, such as with the Medtronic cardiac device security vulnerability, cyber actors can threaten patient health because they can take control of medical devices.

“If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service attacks by sending specially crafted messages to the Paceart Optima system,” CISA said in its advisory.

On the record
“Security remains a top priority for NextGen Healthcare, NextGen Healthcare spokesperson told HealthcareIT News. “Most Mirth Connect users would not have exposure to that vulnerability in their systems, however, we recommend users upgrade to the latest version of Mirth Connect where the vulnerability no longer exists.” Healthcare IT News