{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fhir-validator/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FHIR Validator"],"_cs_severities":["critical"],"_cs_tags":["ssrf","fhir","credential-theft","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe FHIR Validator HTTP service is susceptible to a server-side request forgery (SSRF) vulnerability through the unauthenticated \u003ccode\u003e/loadIG\u003c/code\u003e endpoint. This endpoint, intended for loading Implementation Guides (IGs), can be abused to make outbound HTTP requests to attacker-controlled URLs. The vulnerability stems from a combination of the SSRF and a flaw in how the application handles authentication credentials. Specifically, the \u003ccode\u003eManagedWebAccessUtils.getServer()\u003c/code\u003e function uses \u003ccode\u003estartsWith()\u003c/code\u003e for URL prefix matching when determining whether to attach authentication tokens. An attacker can exploit this by registering a domain that is a prefix of a legitimate FHIR server URL, causing the application to send the server's authentication tokens (Bearer, Basic, API keys) to the attacker's domain. This flaw affects FHIR Validator versions prior to 6.9.4. Successful exploitation leads to credential theft, potentially enabling supply chain attacks and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/loadIG\u003c/code\u003e endpoint of the FHIR Validator HTTP service.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a JSON body with an \u003ccode\u003eig\u003c/code\u003e field set to an attacker-controlled URL that is a prefix of a legitimate FHIR server URL (e.g., \u003ccode\u003ehttps://packages.fhir.org.attacker.com/malicious-ig\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe FHIR Validator processes the request and uses \u003ccode\u003eIgLoader.loadIg()\u003c/code\u003e to load the IG, triggering \u003ccode\u003eManagedWebAccess.get()\u003c/code\u003e to fetch content from the specified URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eManagedWebAccess.get()\u003c/code\u003e creates a \u003ccode\u003eSimpleHTTPClient\u003c/code\u003e and attaches an \u003ccode\u003eauthProvider\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauthProvider\u003c/code\u003e uses \u003ccode\u003estartsWith()\u003c/code\u003e to check if the attacker-controlled URL matches the prefix of any configured FHIR server URLs.\u003c/li\u003e\n\u003cli\u003eDue to the prefix match, the authentication tokens (Bearer, Basic, API keys) associated with the legitimate FHIR server are added to the HTTP request headers.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSimpleHTTPClient\u003c/code\u003e sends the HTTP request, including the stolen authentication tokens, to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the request and extracts the authentication tokens, potentially gaining unauthorized access to FHIR resources or registries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows attackers to steal authentication tokens configured for legitimate FHIR servers. This credential theft can lead to a variety of impacts. First, the stolen credentials can be used to compromise FHIR package registries, potentially enabling supply chain attacks where malicious FHIR packages are distributed to downstream consumers. Second, if the stolen credentials grant access to protected FHIR endpoints, patient health records and other sensitive data could be exposed, leading to data breaches and regulatory consequences. Finally, the compromised validator service can indirectly impact the security of external FHIR registries, package servers and other systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to FHIR Validator version 6.9.4 or later to patch CVE-2026-34361 and address the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousFHIRValidatorLoadIG\u003c/code\u003e to monitor for exploitation attempts targeting the \u003ccode\u003e/loadIG\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect outbound connections from the FHIR Validator to suspicious or unexpected domains, using the IOC \u003ccode\u003ehttps://packages.fhir.org.attacker.com/malicious-ig\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of FHIR server authentication within \u003ccode\u003efhir-settings.json\u003c/code\u003e, minimizing the use of URL prefixes and employing more robust authentication mechanisms where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-fhir-validator-ssrf/","summary":"The FHIR Validator HTTP service is vulnerable to server-side request forgery (SSRF) via the `/loadIG` endpoint, enabling attackers to steal authentication tokens by exploiting a prefix-matching flaw in the credential provider.","title":"FHIR Validator SSRF via /loadIG Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-02-fhir-validator-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - FHIR Validator","version":"https://jsonfeed.org/version/1.1"}