Skip to main content

One vulnerability could allow an attacker retrieve and plant medical image files and another could lead to arbitrary code execution

Threat ID:CC-4512
Threat Severity:Low
Published:13 June 2024 12:59 PM

Summary

One vulnerability could allow an attacker retrieve and plant medical image files and another could lead to arbitrary code execution

Affected platforms

The following platforms are known to be affected:

Threat details

Attacks targeting MicroDicom users

NHS England National CSOC are aware of watering hole campaigns targeting MicroDicom users. Threat actors are masquerading as the official download page to deliver a fake installer, off the back of the CISA advisory ICSMA-24-163-01, to deliver malware. Organisations are strongly encouraged to verify all download links for software patches, and are recommended to follow the Definitive Threat Updates link in our cyber alerts.


Introduction

The US Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) Medical Advisory for two vulnerabilities found in MicroDicom DICOM Viewer. DICOM Viewer is an application for primary processing and preservation of medical images in DICOM format.

CVE-2024-33606 is an 'improper authorisation in handler for custom URL scheme' (CWE-939) vulnerability with a CVSSv3 score of 8.8, which if exploited could allow an attacker to retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing images. 

CVE-2024-28877 is a stack-based buffer overflow (CWE-121) vulnerability with a CVSSv3 score of 8.8, which if exploited could allow an attacker to execute arbitrary code (ACE). 

Threat updates

   
30 Jul 2024 Attacks targeting MicroDICOM users

Remediation advice

Affected organisations are encouraged to review the CISA advisory ICSMA-24-163-01, which recommends updating MicroDicom DICOM Viewer to version 2024.2 and taking the following defensive actions to minimise the risk of exploitation of these vulnerabilities:

  • Minimise network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise VPN is only as secure as the connected devices.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-33606An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.
StatusPublished
CVE-2024-28877MicroDicom DICOM Viewer is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. User interaction is required to exploit this vulnerability.

Last edited: 30 July 2024 4:37 pm

Back to top