CVE-2021-21807
📋 TL;DR
This critical vulnerability in Accusoft ImageGear's DICOM parser allows remote code execution via integer overflow leading to stack buffer overflow. Attackers can exploit it by tricking users into opening malicious DICOM files. Organizations using ImageGear for medical imaging or document processing are affected.
💻 Affected Systems
- Accusoft ImageGear
📦 What is this software?
Imagegear by Accusoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution as the user running the vulnerable software, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution on systems processing untrusted DICOM files, particularly in healthcare environments where medical imaging is common.
If Mitigated
Denial of service or application crash if exploit fails, but proper controls should prevent successful exploitation.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available. Exploitation requires user interaction to open malicious file but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ImageGear 19.10 or later
Vendor Advisory: https://www.accusoft.com/products/imagegear-collection/imagegear/
Restart Required: Yes
Instructions:
1. Download ImageGear 19.10 or later from Accusoft. 2. Uninstall current ImageGear version. 3. Install updated version. 4. Restart affected systems. 5. Recompile applications using the updated library.
🔧 Temporary Workarounds
File type restriction
allBlock DICOM files at network perimeter and email gateways
Application sandboxing
allRun ImageGear applications in restricted environments with limited privileges
🧯 If You Can't Patch
- Implement strict file validation: reject malformed DICOM files before processing
- Deploy application control to prevent execution of untrusted ImageGear applications
🔍 How to Verify
Check if Vulnerable:
Check ImageGear version: if version is 19.9 or earlier, system is vulnerable. Applications using ImageGear DLLs should be inventoried.Check Version:
On Windows: check DLL properties or registry entries. On Linux: check shared library versions. Application-specific methods vary.Verify Fix Applied:
Verify ImageGear version is 19.10 or later. Test with known safe DICOM files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes from ImageGear processes
- Unusual file processing of DICOM files
- Memory access violations in application logs
Network Indicators:
- Unexpected DICOM file transfers to vulnerable systems
- Malicious file delivery via email or web
SIEM Query:
ImageGear process crashes OR DICOM file processing anomalies OR memory violation events from ImageGear applications