CISA Warns of Actively Exploited Flaws in NextGen Healthcare Mirth Connect and Chromium

CVE-2023-43208

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning to federal agencies and organizations worldwide: two critical security vulnerabilities are currently being actively exploited in the wild. The flaws, impacting NextGen Healthcare’s Mirth Connect integration engine and the widely-used Chromium web browser, pose a significant risk of unauthenticated remote code execution and unauthorized access.

CVE-2023-43208

Mirth Connect Vulnerability: A Gateway for Remote Code Execution

The first vulnerability, tracked as CVE-2023-43208 (CVSS 9.8), affects NextGen Healthcare’s Mirth Connect. This software, widely used in healthcare settings for integrating disparate systems, contains a deserialization flaw that allows attackers to remotely execute arbitrary code on vulnerable servers without needing valid credentials. The implications for healthcare providers and their patients are severe, as successful exploitation could lead to data breaches, service disruptions, and even the compromise of critical medical devices.

Chromium Flaw: Type Confusion Opens Door to Sandbox Escapes

The second vulnerability, CVE-2024-4947, stems from a type confusion error in Google Chrome’s V8 JavaScript engine. Security researchers @buptsb and @mistymntncop have detailed how this flaw can be exploited to bypass the browser’s sandbox protections, allowing attackers to execute malicious code on the user’s system. This type of vulnerability is particularly dangerous as it can be leveraged to deliver malware, steal sensitive data, or even take complete control of the affected machine.

Google has responded to the Chromium vulnerability by promptly releasing updated versions of Chrome (125.0.6422.60/.61 for Mac and Windows, 125.0.6422.60 for Linux). However, the threat of ongoing attacks remains until all users update their browsers. The widespread use of Chromium in various web browsers, including Google Chrome, Microsoft Edge, and Opera, makes this a significant concern for a vast number of users.

CISA Urges Immediate Action

CISA has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency of the situation. Federal agencies have been given a deadline of June 10, 2024, to apply vendor-provided patches or mitigations. Organizations outside of the federal government are strongly encouraged to follow suit, as these vulnerabilities are likely being actively targeted by cybercriminals.