CISA Alerts Healthcare Sector to OFFIS DCMTK Cybersecurity Vulnerabilities

June 27, 2022 - High-severity cybersecurity vulnerabilities in OFFIS DCMTK software could result in remote code execution (RCE) if exploited, the Cybersecurity and Infrastructure Security Agency (CISA) warned in a recent advisory. OFFIS recommended that all users update to version 3.6.7 or later as soon as possible.

DCMTK consists of libraries and applications that process Digital Imaging and Communications in Medicine (DICOM) files.

“It includes software for examining, constructing and converting DICOM image files, handling offline media, sending and receiving images over a network connection, as well as demonstrative image storage and worklist servers,” OFFIS states on its website.

“It is used by hospitals and companies all over the world for a wide variety of purposes ranging from being a tool for product testing to being a building block for research projects, prototypes and commercial products.”

The vulnerabilities impact all DCMTK versions prior to 3.6.7. Two of the vulnerabilities (CVE-2022-2119 and CVE-2022-2120) received a Common Vulnerability Scoring System (CVSS) v3 score of 7.5, and the third (CVE-2022-2121) received a score of 6.5.

“Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution,” CISA stated.

The first two vulnerabilities (CVE-2022-2119 and CVE-2022-2120) showed that the impacted product’s service class provider (SCP) and service class user (SCU) were vulnerable to path traversal. This could allow a hacker to write DICOM files into arbitrary directories under controlled names, consequently allowing for remote code execution.

The third vulnerability disclosure (CVE-2022-2121) noted that the affected product “has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition.”

CISA recommended that healthcare organizations take defensive measures to mitigate risks associated with these vulnerabilities. Specifically, all users should isolate control system networks and remote devices from the business network and put them behind firewalls.

Additionally, users should minimize network exposure for all control system devices and use Virtual Private Networks (VPNs) when remote access is required.

“CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” CISA emphasized.

No known exploits of these vulnerabilities have been reported.

In other news, CISA and the US Coast Guard Cyber Command (CGCYBER) recently released a joint advisory to warn organizations of continued Log4Shell exploits, which have largely resulted from organizations neglecting to apply publicly available patches or workarounds. The advisory urged critical infrastructure entities to patch immediately to avoid further exploits.