CVE-2024-22373
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code or cause denial of service via a specially crafted DICOM file containing malformed JPEG2000 data. It affects systems running Grassroot DICOM 3.0.23 that process untrusted DICOM files, particularly in medical imaging environments.
💻 Affected Systems
- Grassroot DICOM
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment on affected systems.
Likely Case
Application crash causing denial of service in medical imaging workflows, potentially disrupting patient care.
If Mitigated
Contained application crash with no privilege escalation if proper sandboxing and memory protections are in place.
🎯 Exploit Status
Exploitation requires only file upload/processing capability, no authentication needed. Technical details are public but no known exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.24 or later
Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZJ4IG7EXMSMPHTK5ZFASCW6MHSOVZOE/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Grassroot DICOM 3.0.24 or later from official repository. 3. Stop all DICOM services. 4. Install updated version. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
File Validation Filter
allImplement strict file validation to reject malformed DICOM files before processing.
# Configure DICOM service to validate file headers before processing
# Example: dicom-validator --strict-input /path/to/file.dcm
Network Segmentation
linuxIsolate DICOM processing systems from untrusted networks and implement strict upload controls.
# Firewall rule example: iptables -A INPUT -p tcp --dport 104 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 104 -j DROP
🧯 If You Can't Patch
- Implement application sandboxing with minimal privileges to contain potential exploitation
- Deploy network-based intrusion detection to monitor for anomalous DICOM file transfers
🔍 How to Verify
Check if Vulnerable:
Check Grassroot DICOM version: 'gdcm --version' or examine package manager output. Version 3.0.23 is vulnerable.Check Version:
gdcm --version 2>/dev/null || rpm -q gdcm || dpkg -l | grep gdcmVerify Fix Applied:
Confirm version is 3.0.24 or later and test processing of known safe DICOM files.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults in JPEG2000 decoding
- Unusually large or malformed DICOM file processing attempts
Network Indicators:
- Multiple failed DICOM file transfers from single source
- Anomalous DICOM file sizes or transfer patterns
SIEM Query:
source="dicom_server" AND (event="segmentation_fault" OR event="buffer_overflow")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZJ4IG7EXMSMPHTK5ZFASCW6MHSOVZOE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5HXUKUJ7SG3TK456SGUWVZ4Z5D7JKOL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJA7QWWZWMY4AQFR35EA7S3CFVUTOQYG/
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZJ4IG7EXMSMPHTK5ZFASCW6MHSOVZOE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5HXUKUJ7SG3TK456SGUWVZ4Z5D7JKOL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJA7QWWZWMY4AQFR35EA7S3CFVUTOQYG/
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1935
