Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection.

The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high severity).

The third flaw is a NULL pointer deference vulnerability that exists while processing DICOM files. The product dereferences a pointer that it expects to be valid, but if it is NULL, it causes the software to crash. The vulnerability could be exploited to trigger a denial-of-service condition. The vulnerability is tracked as CVE-2022-2121 and has been assigned a CVSS v3 base score of 6.5 out of 10 (high severity).

Please see the HIPAA Journal Privacy Policy

The vulnerabilities were reported to CISA by Noam Moshe of Claroty. OFFIS has corrected the vulnerabilities in DCMTK version 3.6.7. All users are advised to update to the latest version of the software as soon as possible to prevent exploitation of the flaws.

The risk of exploitation of vulnerabilities such as these can be minimized by ensuring the affected product, control systems, and devices are not exposed to the Internet. The product should be located behind a firewall and isolated from the business network, and if remote access is required, secure methods of connection should be used such as a Virtual Private Network (VPN). If a VPN is used, it should be kept up to date, as VPNs can contain vulnerabilities that can be exploited.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.