There is a vulnerability in the DICOM (Digital Imaging and Communications in Medicine) standard with proof-of-concept (PoC) exploit code, according to a report with NCCIC.
The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. The vulnerability is exploitable by embedding executable code into the 128 byte preamble. This report was released without coordination with NCCIC or any known vendor.
NCCIC has notified some of the affected vendors who may utilize the DICOM Standard (primarily in the healthcare industry) about the report to confirm the vulnerability and to identify mitigations.
NCCIC released this alert to provide notice of the report and identify baseline mitigations for reducing risks of these and other cybersecurity attacks.
DICOM is widely used throughout the Healthcare and Public Health Sector for portability in medical imaging; it uses the .dcm file extension.
The report included vulnerability details and PoC exploit code for an input validation vulnerability that requires local access.
Successful exploitation of this vulnerability could allow an attacker to embed executable code into image files used by medical imaging devices. The severity of any attack varies depending on the type and intent of the executable code embedded within the preamble. It is important to note this code can be embedded in a way that allows the code to be a functioning Windows executable while not interfering with the readability and functionality of the DICOM imagery.
The vulnerability was discovered by Markel Picado Ortiz of Cylera Labs and has a case number of CVE-2019-11687.
NCCIC is currently coordinating with multiple stakeholders to identify any potential mitigations.
The DICOM Security Group has provided a statement for user strategies:
“DICOM files on media, like CDs and DVDs, include a 128-byte preamble at the start of the file. The intended purpose of the preamble is to allow both DICOM software and non-DICOM software to process the same file. This is a useful feature for both backward and forward compatibility of some types of medical imaging devices.
“However, as reported, the potential exists to abuse the 128-byte preamble allowing DICOM files to be stored on media with executable malware inserted. A malicious actor could modify a DICOM file so that it is treated as both an executable program and as a DICOM file, and then a user might be convinced to execute the file via social engineering. Alternatively, a separate malicious actor that knew about the embedded executable and had access to the modified file could install and execute the malware. This type of intrusion is referred to as a multi-phase attack.
“The risks of such an exploit can be mitigated. Just as recipients of strange email attachments should be cautious about opening them, programs that process DICOM media files should take precautions. Virus scanning software should scan DICOM media files and not assume DICOM media files are safe. Data import systems should have file execution disabled when reading CD/DVDs.
“To provide more detailed information about this matter and potential risk and mitigation strategies, DICOM has published a Frequently Asked Questions (FAQ).
“The DICOM security workgroup welcomes efforts to strengthen systems against cybersecurity attacks, to raise awareness of potential attack vectors, and to help users and developers understand how to guard against them.”