CVE-2024-1863
📋 TL;DR
This is a critical SQL injection vulnerability in Sante PACS Server's token endpoint that allows unauthenticated remote attackers to execute arbitrary code. Attackers can exploit this by sending specially crafted HTTP requests to port 3000, potentially gaining SYSTEM-level access. All installations with the vulnerable component exposed are affected.
💻 Affected Systems
- Sante PACS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining SYSTEM privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Database compromise, credential theft, lateral movement within the network, and installation of cryptocurrency miners or other malware.
If Mitigated
Limited impact due to network segmentation, but still potential for initial foothold and limited data exposure.
🎯 Exploit Status
SQL injection leading to RCE with no authentication required makes this highly exploitable. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.santesoft.com/security-advisories/
Restart Required: Yes
Instructions:
1. Check SanteSoft security advisory for patch details
2. Download and install the latest patched version
3. Restart the Sante PACS Server service
4. Verify the patch is applied successfully
🔧 Temporary Workarounds
Network Access Control
windowsBlock external access to port 3000/TCP using firewall rules
Windows Firewall: New-NetFirewallRule -DisplayName 'Block Sante PACS Port' -Direction Inbound -LocalPort 3000 -Protocol TCP -Action Block
Web Application Firewall
allDeploy WAF with SQL injection protection rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Sante PACS Server from internet and critical systems
- Deploy intrusion detection/prevention systems with SQL injection signatures monitoring port 3000 traffic
🔍 How to Verify
Check if Vulnerable:
Check if Sante PACS Server is running and listening on port 3000. Review version against vendor's patched version list.Check Version:
Check Sante PACS Server administration interface or installation directory for version informationVerify Fix Applied:
Verify the installed version matches or exceeds the patched version from vendor advisory. Test that SQL injection payloads no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Failed authentication attempts on token endpoint
- Unexpected process creation from Sante PACS service
Network Indicators:
- SQL injection patterns in HTTP requests to port 3000
- Unusual outbound connections from Sante PACS Server
- High volume of requests to /token endpoint
SIEM Query:
source="web_server" dest_port=3000 AND (http_uri="*token*" AND (http_query="*SELECT*" OR http_query="*UNION*" OR http_query="*OR 1=1*"))