High Severity Flaws Identified in MicroDicom DICOM Viewer
Two high-severity vulnerabilities have been identified in MicroDicom DICOM Viewer medical image viewer, one of which could lead to the execution of arbitrary code and the other could allow an attacker to retrieve sensitive files, add new medical images, or overwrite existing medical images on the MicroDicom DICOM Viewer system.
CVE-2024-33606 is due to the use of a handler for a custom URL scheme that does not properly restrict which actors can invoke the handler using the scheme. The lack of proper authorization would allow an attacker to retrieve sensitive files containing patients’ protected health information, add new images, or replace existing images, potentially causing harm to patients. User interaction is required for an attacker to exploit the flaw. The vulnerability has been assigned a CVSS v4 severity score of 8.6 (CVSS v3.1 8.8).
CVE-2024-28877 is a stack-based buffer overflow vulnerability that could lead to arbitrary code execution, although user interaction is required to exploit the flaw. The vulnerability has been assigned a CVSS v4 severity score of 8.7/10 (CVSS v3.1 8.8).
The vulnerabilities affect DICOM Viewer versions prior to 2024.2. All users should update to version 2024.2, which was released on June 6, 2024. To improve protection against any future vulnerabilities, exposure can be reduced by ensuring that DICOM Viewer is not accessible from the internet, locating it behind a firewall and isolating it from the business network, and if remote access is required, using a secure method of access such as a virtual private network (VPN), and to ensure that the VPN is kept up to date and is running the latest version.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Two other high-severity vulnerabilities were fixed in the free-to-use medical image viewer in March 2024: CVE-2024-22100 and CVE-2024-25578.
