|
|
Message-ID: <CAK3hNHaAUyNCsbKNP0FhQdOMXP3P4jrQMwxAWHo2FWvzSpNjKQ@mail.gmail.com>
Date: Tue, 30 Jun 2026 22:09:04 -0700
From: Abhinav Agarwal <abhinavagarwal1996@...il.com>
To: oss-security@...ts.openwall.com
Subject: OFFIS DCMTK: 5 CISA-coordinated DICOM vulnerabilities
CISA has published an advisory for five vulnerabilities in OFFIS DCMTK
(DICOM Toolkit), affecting DCMTK <= 3.7.0:
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01
Fix status:
The fixes are in upstream DCMTK master but not any release as of today
https://github.com/DCMTK/dcmtk/releases/tag/latest
Vulnerabilities and fixes:
1. CVE-2026-50003 - bit-preserving C-GET path traversal - CVSS v3.1:
9.8 Critical
Fix: eca9a03dd
A victim DCMTK C-GET client connects to a malicious or
compromised DICOM server while using bit-preserving storage mode
(getscu --bit-preserving / DCMSCU_STORAGE_BIT_PRESERVING). During the
C-GET response, the server supplies an affected SOP Instance UID containing
path separators or an absolute path. DcmSCU::handleCGETSession() used that
value to build the output path without the filename sanitization used by the
normal disk-storage path. The result is file creation/truncation outside
the selected output directory, limited to paths writable by the client
process and to directories that already exist.
2. CVE-2026-50254 - Extended Negotiation memory leak - CVSS v3.1: 7.5 High
Fix: 23f181f7a
An unauthenticated client repeatedly opens a DICOM association
and sends an A-ASSOCIATE-RQ containing many Extended Negotiation items
followed by a malformed/truncated Extended Negotiation item. The parser
error path frees the list container but not the allocated negotiation items.
In storescp default single-process mode, repeated connections cause RSS
growth until the process is killed or stops accepting DICOM connections.
3. CVE-2026-35505 - connection error-path memory leaks - CVSS v3.1: 7.5 High
Fix: 2312891a8
An unauthenticated client sends an A-ASSOCIATE-RQ where
presentation-context structures are parsed and allocated, then a later
presentation context triggers a translation failure, for example by
containing no transfer syntaxes. The server returns before freeing the
parsed PDU graph. Repeating this request leaks memory in single-process
services. There is also an analogous SCU-side error path when a long-running
DCMTK client parses a malformed A-ASSOCIATE-AC from a rogue server.
4. CVE-2026-52868 - Called AE Title path traversal in wlmscpfs - CVSS
v3.1: 8.2 High
Fix: e3878daf8
An unauthenticated client connects to wlmscpfs with a Called
AE Title containing a short traversal sequence. wlmscpfs used the Called AE
Title to construct worklist storage and lockfile paths without a containment
check. If the resolved directory exists, has the expected lockfile, and
contains matching .wl worklist files, a normal C-FIND query can return
records outside the intended per-AE storage area. This is not arbitrary OS
file read; disclosure is limited to reachable worklist records within the
16-byte AE Title naming constraint. With non-default --request-file-path
logging and AE Title/Patient ID placeholders, the same unsanitized values
could also produce a constrained write outside the request-file directory.
5. CVE-2026-44628 - VR-spoofing type confusion in wlmscpfs - CVSS v3.1: 7.5 High
Fixes: f4e007468 and 694a0a06a
An unauthenticated client negotiates Explicit VR and sends a
C-FIND request containing a dictionary sequence tag encoded on the wire with
a non-sequence VR. DCMTK constructs a non-sequence object, but wlmscpfs later
casts the result to DcmSequenceOfItems without checking the actual type. If
the query reaches a valid worklist directory with an expected lockfile and a
matching record, the wrong-type use crashes the process. In single-process
mode this stops the service; in default fork mode the child crashes and the
parent continues serving.
Potential exposure includes patient worklist metadata in affected wlmscpfs
deployments, file write outside an intended C-GET output directory, and
availability loss for DICOM worklist/storage services through crash or OOM.
Coordination timeline:
2026-05-11 Reported to OFFIS DCMTK maintainers
2026-05-12 First fix committed upstream
2026-05-14 CERT/CC case opened as VU#470252
2026-05-29 Remaining fixes committed upstream
2026-06-30 CISA advisory published as ICSMA-26-181-01
Mitigation notes:
* Apply the upstream fixes or the rolling latest snapshot when possible.
* Keep DICOM services on trusted networks only.
* For DoS exposure, prefer multi-process/fork mode where available.
* Avoid getscu --bit-preserving / DCMSCU_STORAGE_BIT_PRESERVING with
untrusted C-GET servers until patched.
Additional background:
https://www.healthcareinfosecurity.com/dicom-toolkit-bugs-raise-medical-imaging-security-risks-a-32114
Credit:
Reported by Abhinav Agarwal.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.