The MicroDicom DICOM Viewer medical image viewer was found to have two high-severity vulnerabilities. One vulnerability can result in arbitrary code execution. The other vulnerability could enable an attacker to get sensitive data, put new medical photos, or overwrite current medical images on the MicroDicom DICOM Viewer system.
CVE-2024-33606 is caused by using a handler for a custom URL scheme that doesn’t correctly limit which actors can use the handler with the scheme. The absence of correct authorization would enable an attacker to get sensitive data containing patients’ protected health information (PHI), including new images, or substitute current images, possibly injuring patients. User interaction is needed before an attacker can take advantage of the vulnerability. The vulnerability was designated a CVSS v4 severity rating of 8.6 (CVSS v3.1 8.8).
CVE-2024-28877 is a buffer overflow vulnerability based on a stack that could result in arbitrary code execution, though user interaction is necessary to take advantage of the vulnerability. The vulnerability was designated a CVSS v4 severity rating of 8.7 (CVSS v3.1 8.8).
DICOM Viewer versions before 2024.2 are affected by the vulnerabilities. All users must upgrade their devices to the June 6, 2024 released version 2024.2. To increase defense against any potential vulnerabilities and avoid HIPAA violations, potential breaches must be avoided by making sure that DICOM Viewer is not available online, protecting control network systems behind a firewall, using Virtual Private Networks (VPNs) when remote access is needed, and using only VPNs that are updated and is operating using the newest version.
In March 2024, two high-severity vulnerabilities CVE-2024-22100 and CVE-2024-25578 found in the free-to-use medical image viewer had been fixed. Vulnerability CVE-2024-22100 could enable an attacker to execute arbitrary code on impacted DICOM Viewer installations. It had a designated CVSS v3.1 base score of 7.8. Vulnerability CVE-2024-25578 was identified in MicroDicom DICOM Viewer version 2023.3 (Build 9342). When exploited, it could cause memory corruption in the application. It has a CVSS v3.1 base score of 7.8.
Image credits: natali_mis – adobestock.com