MicroDicom DICOM Viewer Vulnerable to Malicious DICOM Files

Vulnerability Bulletins TLP:WHITE Alert Id: 020bed5a 2024-02-29 18:51:47

On February 29, 2024, security researcher Michael Heinzl reported a vulnerability in MicroDicom DICOM
Viewer v2023.3 (Build 9342) and prior, which could allow an attacker to cause memory corruption issues
leading to the execution of arbitrary code. Health-ISAC is aware of healthcare organizations leveraging
MicroDICOM and similar tools for viewing DICOM files. MicroDicom has provided a fix in MicroDicom DICOM
Viewer 2024.1.

On February 28, 2024, Health-ISAC published Sante DICOM Pro Vulnerable to Malicious DICOM Files. This
vulnerability was also reported by Michael Heinzl and distributed by CISA. Please review that bulletin for
additional insight including affected versions and links to update to the most secure version of Sante DICOM
Pro.

Health-ISAC has previously shared insight on threat actors targeting healthcare organizations and leveraging
DICOM systems for initial access in a Threat Bulletin titled Ransomware Actors Target Healthcare. This tactic
involves social engineering to the extent that the threat actor enrolls as though they are a patient seeking
care. Upon request for medical images, threat actors submit malicious DICOM files.

If exploited, the vulnerability allows attackers to exfiltrate sensitive information, including protected health
information (PHI) and personally identifiable information (PII). Threat actors find DICOM systems attractive, as
illustrated in the leaked communications intercepted from CLOP ransomware affiliates, indicating ransomware
groups find the urgency of radiologists reviewing medical images for upcoming remote patient visits helpful in
breaching healthcare networks.

Two CVEs have been assigned to the specific DICOM viewer vulnerabilities impacting
MicroDICOM, CVE-2024-22100, and CVE-2024-25578. The common vulnerability scoring system (CVSS)
score is 7.8. There is no indication that this vulnerability is actively exploited. There is no indication of public
exploit code available for exploiting this vulnerability.

Health-ISAC will share an additional Threat Bulletin if proof of concept code is discovered or active
exploitation is reported for MicroDicom DICOM vulnerabilities. DICOM systems have previously been actively
exploited, as illustrated in the Health-ISAC Threat Bulletin Actively Exploited Vulnerability in MIM Assistant
and Client DICOM RTst Loading Modules.

Health-ISAC would like to thank intelligence partners at CISA for facilitating the distribution of the insights
shared by security researcher Michael Heinzl.

Impacted Versions:

• MicroDicom DICOM Viewer: v2023.3 (Build 9342) and prior.

Recommendation:

Health-ISAC recommends organizations inventory their environment to determine whether any instances of
MicroDicom DICOM Viewer v2023.3 are in operation and are connected to their network or third-party partner
networks.

Health-ISAC recommends organizations upgrade to the latest version of MicroDicom DICOM Viewer, v2024.1,
to mitigate the risk of exploitation resulting in the exfiltration of sensitive information.

The latest version of the MicroDicom DICOM Viewer, version 2024.1, including the patch for the above
reference vulnerability, is available from MicroDICOM here.

Reference(s): CISA ICS Medical Advisory, microdicom, bnnbreaking

Sources:
CISA - https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01
BNN
- https://bnnbreaking.com/tech/cybersecurity/microdicom-dicom-viewer-security-flaws-urgent-upgrade-advised-by-c

Release Date: Mar 01, 2024 (UTC)

Tags: CVE-2024-25578, CVE-2024-22100, Viewer, DICOMVIEWER, Clop, DICOM

TLP:WHITE: Subject to standard copyright rules, TLP:WHITE information may be distributed without
restriction.
Access the Health-ISAC Intelligence Portal:
Enhance your personalized information-sharing community with improved threat visibility, alert notifications, and incident sharing in a
trusted environment delivered to you via email and mobile apps. Contact membership@h-isac.org for access to Cyware.

For Questions or Comments:

Please email us at toc@h-isac.org