<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fhir - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/fhir/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/fhir/feed.xml" rel="self" type="application/rss+xml"/><item><title>FHIR Validator SSRF via /loadIG Leads to Credential Theft</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-fhir-validator-ssrf/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-fhir-validator-ssrf/</guid><description>The FHIR Validator HTTP service is vulnerable to server-side request forgery (SSRF) via the `/loadIG` endpoint, enabling attackers to steal authentication tokens by exploiting a prefix-matching flaw in the credential provider.</description><content:encoded><![CDATA[<p>The FHIR Validator HTTP service is susceptible to a server-side request forgery (SSRF) vulnerability through the unauthenticated <code>/loadIG</code> endpoint. This endpoint, intended for loading Implementation Guides (IGs), can be abused to make outbound HTTP requests to attacker-controlled URLs. The vulnerability stems from a combination of the SSRF and a flaw in how the application handles authentication credentials. Specifically, the <code>ManagedWebAccessUtils.getServer()</code> function uses <code>startsWith()</code> for URL prefix matching when determining whether to attach authentication tokens. An attacker can exploit this by registering a domain that is a prefix of a legitimate FHIR server URL, causing the application to send the server's authentication tokens (Bearer, Basic, API keys) to the attacker's domain. This flaw affects FHIR Validator versions prior to 6.9.4. Successful exploitation leads to credential theft, potentially enabling supply chain attacks and data breaches.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a POST request to the <code>/loadIG</code> endpoint of the FHIR Validator HTTP service.</li>
<li>The POST request contains a JSON body with an <code>ig</code> field set to an attacker-controlled URL that is a prefix of a legitimate FHIR server URL (e.g., <code>https://packages.fhir.org.attacker.com/malicious-ig</code>).</li>
<li>The FHIR Validator processes the request and uses <code>IgLoader.loadIg()</code> to load the IG, triggering <code>ManagedWebAccess.get()</code> to fetch content from the specified URL.</li>
<li><code>ManagedWebAccess.get()</code> creates a <code>SimpleHTTPClient</code> and attaches an <code>authProvider</code>.</li>
<li>The <code>authProvider</code> uses <code>startsWith()</code> to check if the attacker-controlled URL matches the prefix of any configured FHIR server URLs.</li>
<li>Due to the prefix match, the authentication tokens (Bearer, Basic, API keys) associated with the legitimate FHIR server are added to the HTTP request headers.</li>
<li>The <code>SimpleHTTPClient</code> sends the HTTP request, including the stolen authentication tokens, to the attacker-controlled server.</li>
<li>The attacker captures the request and extracts the authentication tokens, potentially gaining unauthorized access to FHIR resources or registries.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability allows attackers to steal authentication tokens configured for legitimate FHIR servers. This credential theft can lead to a variety of impacts. First, the stolen credentials can be used to compromise FHIR package registries, potentially enabling supply chain attacks where malicious FHIR packages are distributed to downstream consumers. Second, if the stolen credentials grant access to protected FHIR endpoints, patient health records and other sensitive data could be exposed, leading to data breaches and regulatory consequences. Finally, the compromised validator service can indirectly impact the security of external FHIR registries, package servers and other systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to FHIR Validator version 6.9.4 or later to patch CVE-2026-34361 and address the SSRF vulnerability.</li>
<li>Deploy the Sigma rule <code>DetectSuspiciousFHIRValidatorLoadIG</code> to monitor for exploitation attempts targeting the <code>/loadIG</code> endpoint.</li>
<li>Implement network monitoring to detect outbound connections from the FHIR Validator to suspicious or unexpected domains, using the IOC <code>https://packages.fhir.org.attacker.com/malicious-ig</code> as a starting point.</li>
<li>Review and harden the configuration of FHIR server authentication within <code>fhir-settings.json</code>, minimizing the use of URL prefixes and employing more robust authentication mechanisms where possible.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ssrf</category><category>fhir</category><category>credential-theft</category><category>vulnerability</category></item></channel></rss>