CVE-2020-29165 – CVE-2020-29165 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2020-29165?

CVE-2020-29165 has a CVSS score of 9.8 (CRITICAL). CVE-2020-29165 is an incorrect access control vulnerability in PacsOne Server that allows remote attackers to gain administrator privileges. This affects all PacsOne Server installations below version 7.1.1. The vulnerability enables complete system compromise through privilege escalation.

📋 TL;DR

CVE-2020-29165 is an incorrect access control vulnerability in PacsOne Server that allows remote attackers to gain administrator privileges. This affects all PacsOne Server installations below version 7.1.1. The vulnerability enables complete system compromise through privilege escalation.

💻 Affected Systems

Products:

PacsOne Server (PACS Server In One Box)

Versions: All versions below 7.1.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the core access control mechanism of the application.

📦 What is this software?

Pacsone Server by Rainbowfishsoftware

View all CVEs affecting Pacsone Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative access, allowing data theft, system modification, and potential ransomware deployment across the entire PACS infrastructure.

🟠

Likely Case

Unauthorized access to sensitive medical imaging data (DICOM files), patient records, and system configuration with ability to disrupt medical workflows.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect unauthorized access attempts.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances extremely vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows privilege escalation to administrator from any user context, posing significant risk to internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available, making exploitation straightforward. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.1 and above

Vendor Advisory: https://pacsone.net/download.htm

Restart Required: Yes

Instructions:

1. Download PacsOne Server version 7.1.1 or later from the vendor website. 2. Backup current configuration and data. 3. Stop the PacsOne Server service. 4. Install the updated version. 5. Restart the service and verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to PacsOne Server to only trusted medical imaging workstations and administrators

Enhanced Monitoring

all

Implement strict logging and monitoring for unauthorized access attempts and privilege escalation activities

🧯 If You Can't Patch

Implement strict network segmentation to isolate PacsOne Server from other critical systems
Deploy application-level firewall rules to block suspicious API calls and enforce strict authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check the PacsOne Server version in the web interface or configuration files. Versions below 7.1.1 are vulnerable.

Check Version:

Check the web interface at http://[server-ip]/admin or examine the application configuration files for version information.

Verify Fix Applied:

Verify the installed version is 7.1.1 or higher and test that unauthorized privilege escalation is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to administrative endpoints
Multiple failed login attempts followed by successful administrative access
Unusual user privilege changes

Network Indicators:

HTTP requests to administrative endpoints from unauthorized IP addresses
Unusual API calls to privilege escalation endpoints

SIEM Query:

source="pacsone" AND (event_type="admin_access" OR event_type="privilege_change") AND user NOT IN [authorized_admin_users]

📊 Metadata

CVE ID: CVE-2020-29165

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: February 3, 2021

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/leommxj/0a32afeeaac960682c5b7c9ca8ed070d Exploit,Third Party Advisory
https://pacsone.net/download.htm Product,Vendor Advisory
https://gist.github.com/leommxj/0a32afeeaac960682c5b7c9ca8ed070d Exploit,Third Party Advisory
https://pacsone.net/download.htm Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29165, you might also want to check these: