CVE-2023-34295
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of Sante DICOM Viewer Pro by tricking users into opening malicious DCM files. The flaw exists in how the software parses DCM files, enabling out-of-bounds writes that can lead to remote code execution. Healthcare organizations and medical imaging professionals using this software are primarily affected.
💻 Affected Systems
- Sante DICOM Viewer Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected workstation, potentially leading to data theft, ransomware deployment, or lateral movement within healthcare networks.
Likely Case
Local privilege escalation leading to data exfiltration of medical images and patient information, or installation of persistent malware on the workstation.
If Mitigated
Limited impact with only application crash or denial of service if exploit attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires user interaction but is technically straightforward once a malicious DCM file is crafted. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-21125).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references - check vendor advisory
Vendor Advisory: Not provided in references - check Sante software vendor website
Restart Required: Yes
Instructions:
1. Visit the Sante software vendor website
2. Download the latest version of Sante DICOM Viewer Pro
3. Install the update following vendor instructions
4. Restart the application and system
🔧 Temporary Workarounds
Restrict DCM file handling
windowsConfigure system to open DCM files with alternative, non-vulnerable software
Windows: Use Default Programs settings to change file association for .dcm files
User awareness training
allTrain users to only open DCM files from trusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the version of Sante DICOM Viewer Pro installed - if it's not the latest version from the vendor, assume vulnerableCheck Version:
Within Sante DICOM Viewer Pro: Help → About or check program properties in WindowsVerify Fix Applied:
Verify the software version matches the patched version from vendor advisory and test with known safe DCM files📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening DCM files
- Unusual process creation from Sante DICOM Viewer
- Failed file parsing attempts
Network Indicators:
- Outbound connections from Sante DICOM Viewer to unexpected destinations
- Unusual network traffic following DCM file opening
SIEM Query:
Process Creation where Parent Image contains 'dicom' OR Image contains 'dicom' AND Command Line contains suspicious parameters