CVE-2023-24057: Security Vulnerability in HL7 FHIR Core Libraries Prior to Version 5.6.92 - Directory Traversal leading to Arbitrary File Extraction

A newly discovered and critical vulnerability (CVE-2023-24057) has been found in the widely used Health Level 7 (HL7) FHIR Core Libraries (versions prior to 5.6.92). This vulnerability allows attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive. These archives can be used for a prepackaged terminology cache, NPM package, or comparison archive.

In this post, we will provide an overview of HL7 FHIR Core Libraries, discuss the details of the vulnerability, show a code snippet demonstrating the issue, and provide links to original references about the security vulnerability. We will also discuss how to exploit the vulnerability and what steps can be taken to mitigate it.

What are HL7 FHIR Core Libraries?
Health Level 7 (HL7) is an international, nonprofit organization that develops standards for exchanging, integrating, sharing, and retrieving electronic health information. One of their key standards is the Fast Healthcare Interoperability Resources (FHIR), which is a platform-agnostic, widely adopted method to represent and exchange health data. The FHIR Core Libraries provide an implementation of the FHIR standard in various programming languages, which can be integrated into applications to facilitate healthcare data management.

CVE-2023-24057 Vulnerability Details

The vulnerability (CVE-2023-24057) occurs due to inadequate handling of ZIP and TGZ archives containing relative paths that include ".." (parent directory) characters. It allows an attacker to craft a malicious archive and, when processed by a vulnerable version of the HL7 FHIR Core Libraries, extract the contained files into arbitrary directories on the target machine. This may lead to information disclosure or unauthorized modification of critical system files.

Exploit Details

Exploiting this vulnerability requires an attacker to create a malicious ZIP or TGZ archive containing files with crafted relative paths, such as "..\..\..\..\arbitrary_directory\file.txt". Then, the attacker needs to get the target application using the vulnerable FHIR Core Libraries to process the crafted archive.

Here's a simple example in Python that shows how one could create such a malicious archive

import zipfile

# Create a malicious zip archive
with zipfile.ZipFile("malicious.zip", "w") as zip_file:
    zip_file.writestr("../exploit/file.txt", "Malicious content")

Upon processing the "malicious.zip" archive using a vulnerable version of FHIR Core Libraries, the file "file.txt" would be extracted to the "exploit" directory located two levels up in the directory hierarchy.

Mitigation Steps

The developers of the HL7 FHIR Core Libraries have resolved this vulnerability by releasing version 5.6.92. All the users of the FHIR Core Libraries must immediately upgrade to the latest version to protect their systems against this critical vulnerability.

1. CVE-2023-24057 - MITRE Entry
2. HL7 FHIR Core Libraries - GitHub Repository (contains the latest version with the security fix)

Conclusion

In summary, CVE-2023-24057 is a critical security vulnerability in the widely used HL7 FHIR Core Libraries, which enables attackers to extract files into arbitrary directories from a crafted ZIP or TGZ archive. Users must immediately upgrade to version 5.6.92 or higher to protect themselves from potential exploitation.

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/06/2023 14:29:00 UTC