Three critical flaws in the OFFIS DCMTK software have been identified by the Cybersecurity and Infrastructure Security Agency (CISA), which has released a security advisory for the healthcare and public health sectors. The program is used for processing offline media, creating and converting DICOM image files, and transmitting and receiving images through a network connection.
All versions before version 3.6.7. are affected by the critical flaws. If the flaw is abused, prior to version 3.6.7, all DCMTK versions are vulnerable. If abused, a remote attacker may cause a denial-of-service issue, write corrupt DICOM files into arbitrary directories, and obtain remote code execution. The software has two path traversal vulnerabilities that could be utilized to write malicious files into any directory with a given name, resulting in remote code execution. The service class user (SCU) and the service class provider (SCP) of the product are both vulnerable to relative path traversal (CVE-2022-2120) and path traversal, respectively. CISA determined that the CVSS v3 base score for both vulnerabilities is 7.5 out of 10. (high severity). The third problem is a vulnerability that occurs when processing DICOM files called NULL pointer dereference. When a pointer that the product expects to be valid is dereferenced, the software crashes if the pointer is NULL. A denial-of-service issue could be brought on by exploiting the vulnerability. The vulnerability was given the tracking number CVE-2022-2121 and a CVSS v3 base score of 6.5 out of 10. (high severity).
Noam Moshe of Claroty informed CISA of the vulnerabilities. The vulnerabilities in DCMTK 3.6.7 have been patched by OFFIS. To prevent the exploitation of the vulnerabilities, it is recommended that all users update to the most recent version of the software as quickly as possible. CISA also advised a number of other mitigations. By making sure the impacted product, control systems, and devices are not exposed to the Internet, the danger of exploitation of such vulnerabilities can be reduced. If remote access is necessary, secure connection methods such as Virtual Private Network should be employed. The product should be placed behind a firewall and kept separate from the company network (VPN). If a VPN is utilized, it should be kept up to date because they can have security flaws that can be leveraged against the user.