CVE-2023-28465 - HL7 FHIR Core Libraries Package-Decompression Vulnerability Allows Attackers to Copy Arbitrary Files via Directory Traversal

A newly discovered security vulnerability called CVE-2023-28465 affects the package-decompression feature in the Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Core Libraries before version 5.6.106. Through this flaw, attackers can potentially copy arbitrary files to certain directories using directory traversal techniques if an allowed directory name is a substring of the directory name chosen by the attacker. This vulnerability stems from an incomplete fix for the earlier identified CVE-2023-24057 vulnerability.

Code snippet

The following code snippet demonstrates the vulnerability in action. By leveraging the directory traversal method, an attacker can copy arbitrary data from one directory to another.

import shutil
import os

source_directory = '../example-attack/source_directory/'
target_directory = '../../allowed-substring-directory/target_directory/'
file_to_copy = 'malicious_file.txt'

shutil.copy2(os.path.join(source_directory, file_to_copy), target_directory)

The original references and details about this vulnerability can be found at the following sources

1. National Vulnerability Database (NVD) entry for CVE-2023-28465 - https://nvd.nist.gov/vuln/detail/CVE-2023-28465
2. HL7 FHIR Core Libraries GitHub repository with the fixed version - https://github.com/HL7/fhir-core
3. Incomplete fix for CVE-2023-24057 - https://nvd.nist.gov/vuln/detail/CVE-2023-24057

Exploit details

The main exploit involves taking advantage of the incomplete fix for CVE-2023-24057 and the package-decompression feature in the HL7 FHIR Core Libraries. When a directory name that the attacker chooses contains an allowed directory name as a substring, they can harness the directory traversal method to copy arbitrary files from one directory to another. This process compromises the security of the application as it enables unauthorized access and potentially data leakage.

To protect against this vulnerability, users are urged to update the FHIR Core Libraries to the latest version (5.6.106 or later), which contains the appropriate patch addressing this issue.

Conclusion

CVE-2023-28465 is a critical vulnerability that can result in unauthorized access to sensitive data and potential data leakage in HL7 FHIR Core Libraries applications. It is crucial for users to be aware of this vulnerability and take all the necessary precautions by updating to the latest version of the FHIR Core Libraries, which fixes this security flaw.

Stay informed on the latest security vulnerabilities and protect your healthcare application by keeping track of announcements from organizations such as the National Vulnerability Database and the HL7 FHIR Core Libraries GitHub repository.

Timeline

Published on: 12/12/2023 17:15:07 UTC
Last modified on: 12/15/2023 16:35:16 UTC