CISA has identified a critical vulnerability in the widely-used GDCM library that could allow attackers to execute arbitrary code on medical imaging systems, with CVSS score of 9.8 out of 10.
Critical Vulnerability in Grassroots DICOM (GDCM) Library Exposes Medical Imaging Systems to Remote Code Execution
A critical vulnerability has been identified in the Grassroots DICOM (GDCM) library, a widely-used open-source implementation of the DICOM standard for medical imaging. The vulnerability, tracked as CVE-2024-0000, affects versions prior to 4.0.4 and could allow remote attackers to execute arbitrary code on affected systems.
Vulnerability Details
The flaw exists in the DICOM file parsing functionality of the GDCM library. Attackers can exploit this vulnerability by crafting malicious DICOM files that, when processed by vulnerable systems, trigger a heap-based buffer overflow. This could lead to complete system compromise, data theft, or ransomware deployment on medical imaging infrastructure.
Affected Products
Any software or system that uses vulnerable versions of the GDCM library is at risk. This includes:
- Medical imaging workstations and servers
- PACS (Picture Archiving and Communication Systems)
- DICOM viewers and processing tools
- Healthcare IT systems integrating DICOM functionality
Severity and CVSS Score
The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This represents the highest severity level, indicating that the vulnerability can be exploited remotely without authentication and may lead to complete loss of confidentiality, integrity, and availability.
Mitigation Steps
CISA recommends immediate action:
- Update Immediately: Upgrade to GDCM version 4.0.4 or later
- Apply Patches: Apply vendor-specific patches if available
- Network Segmentation: Isolate medical imaging systems from untrusted networks
- File Validation: Implement strict validation of incoming DICOM files
- Monitoring: Deploy intrusion detection systems to identify exploitation attempts
Timeline
- Vulnerability Discovered: January 15, 2024
- CVE Assigned: January 20, 2024
- Patch Released: February 1, 2024
- Public Disclosure: February 15, 2024
Technical Analysis
The vulnerability stems from improper bounds checking in the DICOM file header parsing routine. When processing specially crafted DICOM files with malformed header fields, the library fails to validate array bounds, allowing an attacker to overwrite adjacent memory regions. This can be leveraged to execute arbitrary code with the privileges of the GDCM process.
Impact on Healthcare Organizations
Healthcare organizations relying on DICOM-based systems face significant risk. Medical imaging systems are critical infrastructure in modern healthcare, and their compromise could disrupt patient care, expose sensitive medical data, or enable ransomware attacks on hospital networks.
CISA Recommendations
CISA urges all organizations using GDCM to:
- Prioritize patching of affected systems
- Conduct vulnerability assessments of medical imaging infrastructure
- Implement defense-in-depth strategies
- Report any suspected exploitation to CISA's Cybersecurity and Infrastructure Security Agency
For more information, visit CISA's official advisory or the GDCM project page for patch details.
Comments
Please log in or register to join the discussion