CVE-2023-33466
📋 TL;DR
This vulnerability in Orthanc allows authenticated users with API access to overwrite arbitrary files on the file system. In specific deployment scenarios, attackers can overwrite the configuration file to achieve remote code execution. All Orthanc deployments before version 1.12.0 are affected.
💻 Affected Systems
- Orthanc
📦 What is this software?
Orthanc by Orthanc Server
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Unauthorized file modification leading to service disruption, data corruption, or privilege escalation.
If Mitigated
Limited to authenticated users only, with proper access controls preventing configuration file access.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.0 and later
Vendor Advisory: https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
Restart Required: Yes
Instructions:
1. Backup current Orthanc configuration and data. 2. Download Orthanc 1.12.0 or later from official sources. 3. Stop Orthanc service. 4. Install the new version. 5. Restart Orthanc service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict API Access
allLimit Orthanc API access to trusted networks and users only
Configure firewall rules to restrict access to Orthanc API port (default 8042)
Implement IP whitelisting for API endpoints
File Permission Hardening
linuxSet strict file permissions on Orthanc configuration and critical files
chmod 600 /etc/orthanc/orthanc.json
chown orthanc:orthanc /etc/orthanc/orthanc.json
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Orthanc instances
- Enforce multi-factor authentication and strong password policies for all Orthanc users
🔍 How to Verify
Check if Vulnerable:
Check Orthanc version via web interface at /system or API endpoint /systemCheck Version:
curl -X GET http://localhost:8042/system | grep VersionVerify Fix Applied:
Verify version is 1.12.0 or higher and test that file overwrite attempts via API are blocked📡 Detection & Monitoring
Log Indicators:
- Multiple failed file write attempts via API
- Unauthorized configuration file modification attempts
- Unusual API access patterns from non-standard IPs
Network Indicators:
- Unusual volume of PUT/POST requests to Orthanc API endpoints
- Traffic to Orthanc API from unexpected sources
SIEM Query:
source="orthanc.log" AND ("PUT /instances" OR "POST /instances") AND response_code=200 AND file_path CONTAINS "/etc/"🔗 References
- https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
- https://lists.debian.org/debian-lts-announce/2023/09/msg00009.html
- https://www.debian.org/security/2023/dsa-5473
- https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
- https://lists.debian.org/debian-lts-announce/2023/09/msg00009.html
- https://www.debian.org/security/2023/dsa-5473
