Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in Medplum versions before 5.1.14. It occurs in the subscription worker component, where authenticated users can create FHIR Subscription resources with arbitrary endpoint URLs.

By exploiting this flaw, attackers can make unauthorized internal network requests to sensitive internal services such as cloud instance metadata services, internal databases, or container orchestration endpoints.

These requests include POST bodies containing full FHIR resource payloads, which can be used to exfiltrate sensitive information like IAM credentials and patient health records.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability includes unauthorized access to internal network resources by authenticated users, which can lead to the exfiltration of sensitive data.

• Exposure of IAM credentials, potentially allowing attackers to escalate privileges or access other systems.
• Leakage of patient health records, compromising patient privacy and confidentiality.
• Potential access to internal cloud metadata services or container orchestration endpoints, which could further compromise the infrastructure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves authenticated users creating FHIR Subscription resources with arbitrary endpoint URLs that can cause unauthorized internal network requests. Detection can focus on monitoring for unusual or unauthorized creation of FHIR Subscription resources, especially those with endpoints pointing to internal addresses such as cloud metadata services, internal databases, or container orchestration endpoints.

Network detection can include monitoring outbound POST requests from the Medplum server to internal IP ranges or unusual URLs that are not part of normal operations.

• Use API audit logs or database queries to identify creation or modification of FHIR Subscription resources with suspicious endpoint URLs.
• Monitor network traffic for POST requests from the Medplum server to internal IP addresses or metadata service endpoints.
• Example command to search logs for suspicious subscription endpoints (assuming logs contain JSON entries): `grep -i 'Subscription' /var/log/medplum.log | grep -E 'http://|https?://(169.254.169.254|127.0.0.1|localhost|10\.|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168\.)'`
• Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP POST requests from the Medplum server and filter for internal IP ranges: `tcpdump -i eth0 tcp dst port 80 and src host <medplum-server-ip>`

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Medplum to version 5.1.14 or later, where the vulnerability is fixed by requiring HTTPS for rest-hook Subscription URLs by default.

If upgrading immediately is not possible, configure the system to reject HTTP endpoints for FHIR Subscription resources to prevent SSRF attacks.

• Upgrade Medplum to version 5.1.14 or later.
• Ensure that the configuration option `allowInsecureRestHookUrl` is disabled or set to false to block insecure HTTP URLs.
• Validate and audit existing FHIR Subscription resources to remove or update any with insecure or suspicious endpoint URLs.
• Implement network-level controls to restrict the Medplum server from making unauthorized internal network requests.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to exfiltrate sensitive data such as IAM credentials and patient health records by exploiting unauthorized internal network requests via FHIR Subscription endpoints.

Exfiltration of patient health records can lead to violations of data protection regulations like HIPAA, which mandates the protection of health information, and GDPR, which requires safeguarding personal data and reporting breaches.

Therefore, this vulnerability poses a risk to compliance with these standards by potentially exposing protected health information and sensitive credentials.

Useful 0 Not Useful 0