CVE-2020-12715
📋 TL;DR
CVE-2020-12715 is an incorrect access control vulnerability in RainbowFish PacsOne Server 6.8.4 that allows unauthenticated attackers to bypass authentication and access sensitive medical imaging data. This affects all organizations using the vulnerable version of this Picture Archiving and Communication System (PACS) software.
💻 Affected Systems
- RainbowFish PacsOne Server
📦 What is this software?
Pacsone Server by Rainbowfishsoftware
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all patient medical imaging data (DICOM files), modify or delete medical records, potentially disrupting healthcare operations and violating patient privacy regulations like HIPAA.
Likely Case
Unauthenticated access to patient medical imaging data, leading to data breaches and privacy violations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the PACS server.
🎯 Exploit Status
Public proof-of-concept code demonstrates simple HTTP requests to bypass authentication. The exploit requires no special tools or advanced knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.8.5 or later
Vendor Advisory: https://www.pacsone.net/download.htm
Restart Required: Yes
Instructions:
1. Download the latest version from pacsone.net/download.htm
2. Backup current configuration and data
3. Install the updated version
4. Restart the PacsOne Server service
5. Verify authentication is working correctly
🔧 Temporary Workarounds
Network Isolation
allPlace the PacsOne Server behind a firewall with strict access controls, allowing only trusted medical imaging workstations and systems to connect.
Web Application Firewall
allDeploy a WAF with rules to block unauthenticated access attempts to sensitive endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the PacsOne Server from untrusted networks
- Deploy additional authentication layer (reverse proxy with authentication) in front of the PacsOne web interface
🔍 How to Verify
Check if Vulnerable:
Attempt to access the PacsOne web interface without authentication. If you can access patient data or administrative functions without login, the system is vulnerable.Check Version:
Check the PacsOne Server web interface footer or about page for version information, or check the installation directory for version files.Verify Fix Applied:
After patching, verify that authentication is required for all sensitive endpoints and that unauthenticated requests are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful access without valid credentials
- Access to sensitive endpoints (like /api/, /admin/, /patients/) from unauthenticated IPs
Network Indicators:
- HTTP requests to PacsOne endpoints without authentication headers or session cookies
- Unusual data export patterns from the PACS server
SIEM Query:
source="pacsone" AND (url_path="/api/*" OR url_path="/admin/*" OR url_path="/patients/*") AND (user="-" OR auth_status="none")