CVE-2021-41688
📋 TL;DR
CVE-2021-41688 is a double-free vulnerability in DCMTK's dcmqrdb program that allows attackers to cause denial of service by sending specific requests. This affects systems running DCMTK up to version 3.6.6, particularly healthcare and medical imaging systems using DICOM protocols.
💻 Affected Systems
- DCMTK (DICOM Toolkit)
📦 What is this software?
Dcmtk by Offis
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of DICOM query services, potentially affecting medical imaging workflows and patient care systems.
Likely Case
Service crashes and instability in dcmqrdb processes, requiring manual restarts and causing temporary service interruptions.
If Mitigated
Minimal impact with proper network segmentation and monitoring; crashes would be contained and quickly detected.
🎯 Exploit Status
Exploitation requires sending specific malformed requests to dcmqrdb service; no authentication needed but requires network access to the service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb and later versions
Vendor Advisory: https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
Restart Required: Yes
Instructions:
1. Update DCMTK to version after 3.6.6 or apply commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb. 2. Recompile dcmqrdb from source. 3. Restart dcmqrdb service. 4. Verify service is running with patched version.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to dcmqrdb service to trusted sources only
iptables -A INPUT -p tcp --dport [dcmqrdb_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [dcmqrdb_port] -j DROP
Service Monitoring and Restart
linuxImplement monitoring and automatic restart for dcmqrdb service
systemctl enable dcmqrdb
systemctl start dcmqrdb
Add to monitoring: check process dcmqrdb and restart if down
🧯 If You Can't Patch
- Disable dcmqrdb service if not required for operations
- Implement strict network segmentation and firewall rules to limit access to dcmqrdb service
🔍 How to Verify
Check if Vulnerable:
Check DCMTK version: dcmqrdb --version or check installed package version. If version is 3.6.6 or earlier, system is vulnerable.Check Version:
dcmqrdb --version 2>&1 | grep Version || dpkg -l | grep dcmtk || rpm -qa | grep dcmtkVerify Fix Applied:
Verify dcmqrdb is running patched version and test with normal DICOM queries to ensure service stability.📡 Detection & Monitoring
Log Indicators:
- dcmqrdb process crashes or abnormal terminations
- Multiple connection attempts with malformed DICOM queries
- Service restart patterns in system logs
Network Indicators:
- Unusual traffic patterns to dcmqrdb port (default 11112)
- Multiple rapid connections to dcmqrdb service
- Malformed DICOM request packets
SIEM Query:
source="dcmqrdb.log" AND ("segmentation fault" OR "double free" OR "aborted" OR "crash")🔗 References
- https://github.com/DCMTK/dcmtk
- https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
- https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html
- https://github.com/DCMTK/dcmtk
- https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
- https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html
