CVE-2023-51637
📋 TL;DR
This is a critical SQL injection vulnerability in Sante PACS Server PG that allows unauthenticated remote attackers to execute arbitrary code. Attackers can exploit the DICOM service on port 11122 by sending specially crafted PATIENT record queries, leading to full system compromise. All installations with the vulnerable component exposed are affected.
💻 Affected Systems
- Sante PACS Server PG
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with NETWORK SERVICE privileges, data exfiltration, ransomware deployment, and lateral movement within the network.
Likely Case
Remote code execution leading to data theft, system compromise, and potential pivot to other systems in the healthcare network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
No authentication required, SQL injection to RCE chain is straightforward. ZDI has confirmed the vulnerability but hasn't released exploit details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references, check vendor advisory
Vendor Advisory: https://www.santesoft.com/security-advisories (check for specific advisory)
Restart Required: Yes
Instructions:
1. Contact Santesoft for the latest security patch. 2. Apply the patch following vendor instructions. 3. Restart the Sante PACS Server service. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Network Access Control
allBlock external access to port 11122 using firewall rules
Windows Firewall: New-NetFirewallRule -DisplayName "Block Sante PACS" -Direction Inbound -LocalPort 11122 -Protocol TCP -Action Block
Linux iptables: iptables -A INPUT -p tcp --dport 11122 -j DROP
Service Restriction
allConfigure the DICOM service to only accept connections from trusted IP addresses
Configure in Sante PACS Server settings or use host firewall to allow specific IPs only
🧯 If You Can't Patch
- Immediately implement network segmentation to isolate the Sante PACS Server from untrusted networks
- Deploy a web application firewall (WAF) with SQL injection protection rules in front of the service
🔍 How to Verify
Check if Vulnerable:
Check if Sante PACS Server PG is running and listening on port 11122: netstat -an | findstr :11122 (Windows) or ss -tlnp | grep :11122 (Linux)Check Version:
Check Sante PACS Server administration interface or consult vendor documentation for version check commandVerify Fix Applied:
Verify the patch version from vendor and ensure port 11122 is no longer vulnerable to SQL injection payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed connection attempts to port 11122
- Unexpected process execution from SQL service context
Network Indicators:
- SQL injection patterns in traffic to port 11122
- Unusual outbound connections from the PACS server
- Exploit kit traffic targeting healthcare systems
SIEM Query:
source_port:11122 AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "EXEC")