OFFIS DCMTK

Plan Patch7.5ICS-CERT ICSMA-22-174-01Jun 23, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

DCMTK contains path traversal (CWE-22, CWE-23) and null pointer dereference (CWE-476) vulnerabilities that allow attackers with local or adjacent network access to write malformed DICOM files to arbitrary directories, cause denial-of-service, or execute arbitrary code. The vulnerabilities exist in all versions prior to 3.6.7.

What this means

What could happen

An attacker could execute arbitrary code on a device running DCMTK, write malicious DICOM files to arbitrary directories on the system, or cause the application to crash and stop processing medical imaging data.

Who's at risk

Healthcare organizations operating PACS (Picture Archiving and Communication Systems), radiology departments, or any medical imaging facility using DCMTK for DICOM file processing and transmission. This includes standalone imaging workstations, imaging servers, and legacy medical imaging devices that embed or use DCMTK libraries.

How it could be exploited

An attacker with local or adjacent network access sends specially crafted DICOM files or network requests to the DCMTK application. The vulnerability in path traversal (CWE-22/23) and null pointer handling (CWE-476) allows the attacker to write files outside intended directories or trigger code execution during file processing.

Prerequisites

Local or adjacent network access to the DCMTK application
Ability to send DICOM files or requests to the DCMTK service
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredaffects critical medical imaging systemspath traversal and code execution possible

Exploitability

Moderate exploit probability (EPSS 5.1%)

Affected products (1)

ProductAffected VersionsFix Status

DCMTK: All< 3.6.73.6.7

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate DICOM imaging systems from the business network and Internet; restrict network access to DCMTK services to only authorized medical imaging workstations

WORKAROUNDDeploy network firewall rules to limit traffic to DCMTK services from trusted subnets only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DCMTK to version 3.6.7 or later

Long-term hardening

0/1

HARDENINGIf remote access to DCMTK is required, use VPN with current security patches and limit VPN access to necessary users only

CVEs (3)

CVE-2022-2119 CVE-2022-2120 CVE-2022-2121

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/111b91ea-9dbd-4402-9139-04b3d786eafc