DICOM Vulnerabilities in Orthanc Servers Allow Heap Overflows

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelmalwareresearchvulnerability
DICOM Vulnerabilities in Orthanc Servers Allow Heap Overflows

Cisco Talos Blog researchers have detailed critical vulnerabilities within the DICOM file format parsing libraries, affecting the Orthanc PACS server. These weaknesses, specifically heap overflows, can be triggered by malformed DICOM files uploaded to the server. This presents a significant attack surface, as hospitals and medical institutions often ingest DICOM files automatically over networks, potentially leading to remote code execution.

The exploitation chain involves crafting malicious DICOM files that, when processed by vulnerable components like Pydicom or GDCM, cause out-of-bounds writes on the server’s heap. This technical deep dive highlights how complex, yet critical, medical imaging standards can harbor exploitable flaws that attackers can leverage during routine data ingestion processes.

Defenders should prioritize patching Orthanc servers and any systems relying on the identified DICOM parsing libraries. Given the sensitive nature of medical data and the potential for system compromise, a proactive approach to vulnerability management is essential. Network segmentation and input validation at ingress points can further mitigate risks, though direct patching remains the most effective defense.

What This Means For You

  • If your organization uses Orthanc for DICOM image management, immediately verify that all instances are patched against the heap overflow vulnerabilities detailed by Cisco Talos Blog. Audit logs for any unusual file uploads or processing errors that might indicate prior exploitation attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Initial Access T1505.003 Exploit via Service Execution Initial Access

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Orthanc DICOM Heap Overflow - Malformed File Upload

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM β†’

Indicators of Compromise

IDTypeIndicator
Advisory Security Patch See advisory

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor orthanc.fr Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Orthanc All breaches, IOCs & vendor exposure

Related coverage on Orthanc

Dutch Authorities Dismantle Botnet of 17 Million Infected Devices

Dutch authorities, in collaboration with the Dutch Politie and the National Cyber Security Center (NCSC), have successfully dismantled a massive botnet, according to The Hacker...

threat-intelvulnerabilitymalware
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs

Flowise RCE Exploit Code Publicly Released

Exploit code for a critical one-click Remote Code Execution (RCE) vulnerability in Flowise has been publicly released, according to SecurityWeek. This flaw allows attackers to...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC /⚙ 3 Sigma

OpenAI ChatGPT Vulnerability: ChatGPhish Turns Summaries Into Phishing Surface

The Hacker News reports a critical vulnerability in OpenAI's ChatGPT, dubbed 'ChatGPhish' by Permiso Security. This technique exploits ChatGPT's implicit trust in Markdown links and...

threat-intelvulnerabilityphishingai-security
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma