The Cybersecurity and Infrastructure Security Agency (CISA) has given the healthcare and public health sector a security alert concerning three high-severity vulnerabilities identified in the OFFIS DCMTK software program. The software is employed for analyzing, creating, and transforming DICOM image files, managing offline media, and transmitting and receiving images via a network.
The vulnerabilities have an impact on all models of DCMTK before version 3.6.7. A remote attacker exploiting the vulnerabilities could bring about a denial-of-service issue, add malformed DICOM files into arbitrary directories, and acquire remote code execution.
There were two path traversal vulnerabilities discovered in the product that can be taken advantage of to put malformed files into arbitrary directories with controlled names, enabling remote code execution. The service class provider (SCP) of the product is susceptible to CVE-2022-2119 or path traversal. The service class user (SCU) is susceptible to CVE-2022-2120 or relative path traversal. The two vulnerabilities were given a high severity CVSS v3 base rating of 7.5 out of 10.
The third vulnerability is a NULL pointer deference vulnerability found during the processing of DICOM files. The product de-references a pointer that it wants to be valid, however in case it is NULL, it triggers the software program to crash. The vulnerability can be taken advantage of to bring about a denial-of-service issue. The vulnerability is monitored as CVE-2022-2121 and was given a high severity CVSS v3 base rating of 6.5 out of 10.
Noam Moshe of Claroty reported the vulnerabilities to CISA. OFFIS has fixed the vulnerabilities in DCMTK model 3.6.7 and has instructed all users to get the most recent version of the software program immediately to stop the exploitation of the vulnerabilities.
The threat of taking advantage of vulnerabilities like these could be lessened by making sure the impacted product, management systems, and devices aren’t exposed online. The product ought to be positioned behind a firewall and separated from the company network, and when remote access is necessary, safe methods of interconnection must be utilized like a Virtual Private Network (VPN). When a VPN is utilized, it must be updated, because VPNs could consist of vulnerabilities that could be taken advantage of.